From cf39557b3d9abf663991d4166de0f1193d53c107 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@fedoraproject.org>
Date: Mar 25 2009 08:14:09 +0000
Subject: - Allow hald_t to read/write ppp config


---

diff --git a/policy-20080710.patch b/policy-20080710.patch
index 8fc945d..eb4f283 100644
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@@ -17698,7 +17698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.5.13/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/hal.te	2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/hal.te	2009-03-25 09:04:18.000000000 +0100
 @@ -49,6 +49,15 @@
  type hald_var_lib_t;
  files_type(hald_var_lib_t)
@@ -17748,7 +17748,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  
  userdom_dontaudit_use_unpriv_user_fds(hald_t)
  
-@@ -280,6 +296,12 @@
+@@ -280,6 +296,16 @@
  ')
  
  optional_policy(`
@@ -17758,10 +17758,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 +')
 +
 +optional_policy(`
++	ppp_read_rw_config(hald_t)
++') 
++
++optional_policy(`
  	rpc_search_nfs_state_data(hald_t)
  ')
  
-@@ -300,12 +322,20 @@
+@@ -300,12 +326,20 @@
  	vbetool_domtrans(hald_t)
  ')
  
@@ -17783,7 +17787,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  allow hald_acl_t self:process { getattr signal };
  allow hald_acl_t self:fifo_file rw_fifo_file_perms;
  
-@@ -326,6 +356,7 @@
+@@ -326,6 +360,7 @@
  dev_getattr_all_chr_files(hald_acl_t)
  dev_setattr_all_chr_files(hald_acl_t)
  dev_getattr_generic_usb_dev(hald_acl_t)
@@ -17791,7 +17795,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  dev_getattr_video_dev(hald_acl_t)
  dev_setattr_video_dev(hald_acl_t)
  dev_getattr_sound_dev(hald_acl_t)
-@@ -338,19 +369,30 @@
+@@ -338,19 +373,30 @@
  
  storage_getattr_removable_dev(hald_acl_t)
  storage_setattr_removable_dev(hald_acl_t)
@@ -17822,7 +17826,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
  allow hald_t hald_mac_t:process signal;
  allow hald_mac_t hald_t:unix_stream_socket connectto;
-@@ -359,6 +401,8 @@
+@@ -359,6 +405,8 @@
  manage_files_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t)
  files_search_var_lib(hald_mac_t)
  
@@ -17831,7 +17835,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  kernel_read_system_state(hald_mac_t)
  
  dev_read_raw_memory(hald_mac_t)
-@@ -366,10 +410,15 @@
+@@ -366,10 +414,15 @@
  dev_read_sysfs(hald_mac_t)
  
  files_read_usr_files(hald_mac_t)
@@ -17847,7 +17851,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  miscfiles_read_localization(hald_mac_t)
  
  ########################################
-@@ -388,6 +437,8 @@
+@@ -388,6 +441,8 @@
  manage_files_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t)
  files_search_var_lib(hald_sonypic_t)
  
@@ -17856,7 +17860,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  files_read_usr_files(hald_sonypic_t)
  
  libs_use_ld_so(hald_sonypic_t)
-@@ -408,6 +459,8 @@
+@@ -408,6 +463,8 @@
  manage_files_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t)
  files_search_var_lib(hald_keymap_t)
  
@@ -17865,7 +17869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
  dev_rw_input_dev(hald_keymap_t)
  
  files_read_usr_files(hald_keymap_t)
-@@ -419,4 +472,50 @@
+@@ -419,4 +476,51 @@
  
  # This is caused by a bug in hald and PolicyKit.  
  # Should be removed when this is fixed
@@ -17879,6 +17883,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
 +allow hald_dccm_t self:capability { net_bind_service };
 +allow hald_dccm_t self:process getsched;
 +
++allow hald_dccm_t self:unix_dgram_socket create_socket_perms;
 +allow hald_dccm_t self:tcp_socket create_stream_socket_perms;
 +allow hald_dccm_t self:udp_socket create_socket_perms;
 +allow hald_dccm_t self:netlink_route_socket rw_netlink_socket_perms;
@@ -32983,7 +32988,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
  allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.5.13/policy/modules/system/iptables.fc
 --- nsaserefpolicy/policy/modules/system/iptables.fc	2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/iptables.fc	2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/system/iptables.fc	2009-03-25 01:47:29.000000000 +0100
 @@ -6,3 +6,4 @@
  /usr/sbin/ip6tables.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
  /usr/sbin/ipchains.*	--	gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -39298,8 +39303,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-3.5.13/policy/modules/system/xen.fc
 --- nsaserefpolicy/policy/modules/system/xen.fc	2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/xen.fc	2009-03-19 18:00:28.000000000 +0100
-@@ -20,6 +20,7 @@
++++ serefpolicy-3.5.13/policy/modules/system/xen.fc	2009-03-25 00:31:36.000000000 +0100
+@@ -1,5 +1,7 @@
+ /dev/xen/tapctrl.*	-p	gen_context(system_u:object_r:xenctl_t,s0)
+ 
++/usr/sbin/evtchnd       --      gen_context(system_u:object_r:evtchnd_exec_t,s0)
++
+ /usr/bin/virsh		--	gen_context(system_u:object_r:xm_exec_t,s0)
+ 
+ /usr/sbin/xenconsoled	--	gen_context(system_u:object_r:xenconsoled_exec_t,s0)
+@@ -12,14 +14,18 @@
+ /var/lib/xend(/.*)?		gen_context(system_u:object_r:xend_var_lib_t,s0)
+ /var/lib/xenstored(/.*)?	gen_context(system_u:object_r:xenstored_var_lib_t,s0)
+ 
++/var/log/evtchnd\.log   --      gen_context(system_u:object_r:evtchnd_var_log_t,s0)
+ /var/log/xen(/.*)?		gen_context(system_u:object_r:xend_var_log_t,s0)
+ /var/log/xen-hotplug\.log --	gen_context(system_u:object_r:xend_var_log_t,s0)
+ /var/log/xend\.log	--	gen_context(system_u:object_r:xend_var_log_t,s0)
+ /var/log/xend-debug\.log --	gen_context(system_u:object_r:xend_var_log_t,s0)
+ 
++/var/run/evtchnd\.pid   --      gen_context(system_u:object_r:evtchnd_var_run_t,s0)
++/var/run/evtchnd        -s      gen_context(system_u:object_r:evtchnd_var_run_t,s0)
  /var/run/xenconsoled\.pid --	gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
  /var/run/xend(/.*)?		gen_context(system_u:object_r:xend_var_run_t,s0)
  /var/run/xend\.pid	--      gen_context(system_u:object_r:xend_var_run_t,s0)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1503d61..2a08f40 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.5.13
-Release: 51%{?dist}
+Release: 52%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -460,6 +460,9 @@ exit 0
 %endif
 
 %changelog
+* Wed Mar 25 2009 Miroslav Grepl <mgrepl@redhat.com> 3.5.13-52
+- Allow hald_t to read/write ppp config
+
 * Mon Mar 23 2009 Miroslav Grepl <mgrepl@redhat.com> 3.5.13-51
 - Add LIRC policy
 - Xenner fixes