diff --git a/modules-targeted.conf b/modules-targeted.conf
index b27157c..208e679 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -479,6 +479,13 @@ gnome = module
#
hal = module
+# Layer: services
+# Module: polkit
+#
+# Hardware abstraction layer
+#
+polkit = module
+
# Layer: system
# Module: hostname
#
diff --git a/policy-20070703.patch b/policy-20070703.patch
index 7328627..86e0bdc 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -11202,36 +11202,45 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gami
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.0.8/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/hal.fc 2008-06-12 23:37:59.000000000 -0400
-@@ -8,14 +8,18 @@
++++ serefpolicy-3.0.8/policy/modules/services/hal.fc 2008-10-08 18:03:32.000000000 -0400
+@@ -8,6 +8,8 @@
/usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0)
/usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
/usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
+/usr/libexec/hald-addon-macbook-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
++/usr/sbin/radeontool -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
/usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0)
- /var/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0)
+@@ -15,7 +17,14 @@
-+/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0)
/var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0)
- /var/log/pm-suspend.log gen_context(system_u:object_r:hald_log_t,s0)
+-/var/log/pm-suspend.log gen_context(system_u:object_r:hald_log_t,s0)
++/var/log/pm-suspend\.log gen_context(system_u:object_r:hald_log_t,s0)
+/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0)
-+/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
- /var/run/haldaemon.pid -- gen_context(system_u:object_r:hald_var_run_t,s0)
+-/var/run/haldaemon.pid -- gen_context(system_u:object_r:hald_var_run_t,s0)
-/var/run/vbestate -- gen_context(system_u:object_r:hald_var_run_t,s0)
-+/var/run/vbe.* -- gen_context(system_u:object_r:hald_var_run_t,s0)
++/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
++/var/run/pm-utils(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
++/var/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
++/var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0)
++/var/run/vbe.* -- gen_context(system_u:object_r:hald_var_run_t,s0)
++ifdef(`distro_gentoo',`
++/var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.0.8/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/hal.if 2008-06-12 23:37:58.000000000 -0400
-@@ -247,6 +247,24 @@
-
- ########################################
- ##
-+## Do not audit attempts to list
-+## HAL libraries dirs
++++ serefpolicy-3.0.8/policy/modules/services/hal.if 2008-10-08 18:03:35.000000000 -0400
+@@ -302,3 +302,42 @@
+ files_search_pids($1)
+ allow $1 hald_var_run_t:file rw_file_perms;
+ ')
++
++########################################
++##
++## Send a SIGCHLD signal to hal.
+##
+##
+##
@@ -11239,21 +11248,44 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
+##
+##
+#
-+interface(`hal_dontaudit_list_lib_dirs',`
++interface(`hal_getattr',`
+ gen_require(`
-+ type hald_var_lib_t;
++ type hald_t;
+ ')
+
-+ dontaudit $1 hald_var_lib_t:dir list_dir_perms;
++ allow $1 hald_t:process getattr;
+')
++
+########################################
+##
- ## Do not audit attempts to read or write
- ## HAL libraries files
- ##
++##f Read hal system state
++##
++##
++##
++## Domain to not audit.
++##
++##
++#
++interface(`hal_read_state',`
++ gen_require(`
++ type hald_t;
++ ')
++ kernel_search_proc($1)
++ allow $1 hald_t:dir list_dir_perms;
++ read_files_pattern($1,hald_t,hald_t)
++ read_lnk_files_pattern($1,hald_t,hald_t)
++ dontaudit $1 hald_t:process ptrace;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.8/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/hal.te 2008-06-12 23:37:59.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/hal.te 2008-10-08 18:11:12.000000000 -0400
+@@ -1,5 +1,5 @@
+
+-policy_module(hal,1.7.1)
++policy_module(hal,1.9.0)
+
+ ########################################
+ #
@@ -49,6 +49,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -11264,6 +11296,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
########################################
#
# Local policy
+@@ -57,7 +60,7 @@
+ # execute openvt which needs setuid
+ allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
+ dontaudit hald_t self:capability {sys_ptrace sys_tty_config };
+-allow hald_t self:process signal_perms;
++allow hald_t self:process { getattr signal_perms };
+ allow hald_t self:fifo_file rw_fifo_file_perms;
+ allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow hald_t self:unix_dgram_socket create_socket_perms;
@@ -70,7 +73,7 @@
manage_files_pattern(hald_t,hald_cache_t,hald_cache_t)
@@ -11273,7 +11314,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
logging_log_filetrans(hald_t,hald_log_t,file)
manage_dirs_pattern(hald_t,hald_tmp_t,hald_tmp_t)
-@@ -93,6 +96,7 @@
+@@ -82,8 +85,9 @@
+ manage_files_pattern(hald_t,hald_var_lib_t,hald_var_lib_t)
+ manage_sock_files_pattern(hald_t,hald_var_lib_t,hald_var_lib_t)
+
++manage_dirs_pattern(hald_t,hald_var_run_t,hald_var_run_t)
+ manage_files_pattern(hald_t,hald_var_run_t,hald_var_run_t)
+-files_pid_filetrans(hald_t,hald_var_run_t,file)
++files_pid_filetrans(hald_t,hald_var_run_t,{ dir file })
+
+ kernel_read_system_state(hald_t)
+ kernel_read_network_state(hald_t)
+@@ -93,6 +97,7 @@
kernel_rw_irq_sysctls(hald_t)
kernel_rw_vm_sysctls(hald_t)
kernel_write_proc_files(hald_t)
@@ -11281,15 +11333,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
auth_read_pam_console_data(hald_t)
-@@ -145,6 +149,7 @@
- fs_list_inotifyfs(hald_t)
- fs_list_auto_mountpoints(hald_t)
- files_getattr_all_mountpoints(hald_t)
-+fstools_getattr_swap_files(hald_t)
-
- mls_file_read_all_levels(hald_t)
+@@ -121,6 +126,7 @@
+ dev_rw_power_management(hald_t)
+ # hal is now execing pm-suspend
+ dev_rw_sysfs(hald_t)
++dev_read_video_dev(hald_t)
-@@ -155,6 +160,8 @@
+ domain_use_interactive_fds(hald_t)
+ domain_read_all_domains_state(hald_t)
+@@ -155,6 +161,8 @@
selinux_compute_relabel_context(hald_t)
selinux_compute_user_contexts(hald_t)
@@ -11298,7 +11350,50 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
storage_raw_read_removable_device(hald_t)
storage_raw_write_removable_device(hald_t)
storage_raw_read_fixed_disk(hald_t)
-@@ -280,6 +287,10 @@
+@@ -172,6 +180,8 @@
+ init_rw_utmp(hald_t)
+ init_telinit(hald_t)
+
++fstools_getattr_swap_files(hald_t)
++
+ libs_use_ld_so(hald_t)
+ libs_use_shared_libs(hald_t)
+ libs_exec_ld_so(hald_t)
+@@ -229,9 +239,7 @@
+
+ optional_policy(`
+ dbus_system_bus_client_template(hald,hald_t)
+- dbus_send_system_bus(hald_t)
+ dbus_connect_system_bus(hald_t)
+- allow hald_t self:dbus send_msg;
+
+ init_dbus_chat_script(hald_t)
+
+@@ -246,6 +254,10 @@
+ ')
+
+ optional_policy(`
++ gpm_dontaudit_getattr_gpmctl(hald_t)
++')
++
++optional_policy(`
+ hotplug_read_config(hald_t)
+ ')
+
+@@ -267,6 +279,12 @@
+ ')
+
+ optional_policy(`
++ polkit_domtrans_auth(hald_t)
++ polkit_domtrans_resolve(hald_t)
++ polkit_read_lib(hald_t)
++')
++
++optional_policy(`
+ rpc_search_nfs_state_data(hald_t)
+ ')
+
+@@ -284,16 +302,25 @@
')
optional_policy(`
@@ -11306,20 +11401,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
+')
+
+optional_policy(`
- updfstab_domtrans(hald_t)
+ vbetool_domtrans(hald_t)
')
-@@ -293,7 +304,9 @@
++optional_policy(`
++ virt_manage_image(hald_t)
++')
++
+ ########################################
+ #
+ # Hal acl local policy
#
allow hald_acl_t self:capability { dac_override fowner };
-+allow hald_acl_t self:process signal;
- allow hald_acl_t self:fifo_file read_fifo_file_perms;
-+allow hald_acl_t self:unix_dgram_socket create_socket_perms;
+-allow hald_acl_t self:fifo_file read_fifo_file_perms;
++allow hald_acl_t self:process { getattr signal };
++allow hald_acl_t self:fifo_file rw_fifo_file_perms;
domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
allow hald_t hald_acl_t:process signal;
-@@ -306,6 +319,7 @@
+@@ -303,9 +330,14 @@
+ manage_files_pattern(hald_acl_t,hald_var_lib_t,hald_var_lib_t)
+ files_search_var_lib(hald_acl_t)
+
++manage_dirs_pattern(hald_acl_t,hald_var_run_t,hald_var_run_t)
++manage_files_pattern(hald_acl_t,hald_var_run_t,hald_var_run_t)
++files_pid_filetrans(hald_acl_t,hald_var_run_t,{ dir file })
++
corecmd_exec_bin(hald_acl_t)
dev_getattr_all_chr_files(hald_acl_t)
@@ -11327,7 +11435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
dev_getattr_generic_usb_dev(hald_acl_t)
dev_getattr_video_dev(hald_acl_t)
dev_setattr_video_dev(hald_acl_t)
-@@ -325,6 +339,8 @@
+@@ -325,13 +357,22 @@
libs_use_ld_so(hald_acl_t)
libs_use_shared_libs(hald_acl_t)
@@ -11335,22 +11443,67 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.
+
miscfiles_read_localization(hald_acl_t)
++optional_policy(`
++ polkit_domtrans_auth(hald_acl_t)
++ polkit_read_lib(hald_acl_t)
++')
++
########################################
-@@ -340,10 +356,14 @@
+ #
+ # Local hald mac policy
+ #
+
++allow hald_mac_t self:capability { setgid setuid };
++
+ domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
+ allow hald_t hald_mac_t:process signal;
+ allow hald_mac_t hald_t:unix_stream_socket connectto;
+@@ -340,9 +381,18 @@
manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t)
files_search_var_lib(hald_mac_t)
++write_files_pattern(hald_mac_t, hald_log_t, hald_log_t)
++
+dev_read_raw_memory(hald_mac_t)
dev_write_raw_memory(hald_mac_t)
+dev_read_sysfs(hald_mac_t)
files_read_usr_files(hald_mac_t)
-
++files_read_etc_files(hald_mac_t)
++
+kernel_read_system_state(hald_mac_t)
+
++auth_use_nsswitch(hald_mac_t)
+
libs_use_ld_so(hald_mac_t)
libs_use_shared_libs(hald_mac_t)
+@@ -365,6 +415,8 @@
+ manage_files_pattern(hald_sonypic_t,hald_var_lib_t,hald_var_lib_t)
+ files_search_var_lib(hald_sonypic_t)
+
++write_files_pattern(hald_sonypic_t, hald_log_t, hald_log_t)
++
+ files_read_usr_files(hald_sonypic_t)
+
+ libs_use_ld_so(hald_sonypic_t)
+@@ -385,6 +437,8 @@
+ manage_files_pattern(hald_keymap_t,hald_var_lib_t,hald_var_lib_t)
+ files_search_var_lib(hald_keymap_t)
++write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t)
++
+ dev_rw_input_dev(hald_keymap_t)
+
+ files_read_usr_files(hald_keymap_t)
+@@ -393,3 +447,8 @@
+ libs_use_shared_libs(hald_keymap_t)
+
+ miscfiles_read_localization(hald_keymap_t)
++
++# This is caused by a bug in hald and PolicyKit.
++# Should be removed when this is fixed
++cron_read_system_job_lib_files(hald_t)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.if serefpolicy-3.0.8/policy/modules/services/inetd.if
--- nsaserefpolicy/policy/modules/services/inetd.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/inetd.if 2008-06-12 23:37:58.000000000 -0400
@@ -12905,7 +13058,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.8/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te 2008-09-25 15:15:35.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te 2008-10-08 18:10:53.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(networkmanager,1.7.1)
@@ -13054,11 +13207,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
')
optional_policy(`
-@@ -159,22 +185,25 @@
+@@ -159,22 +185,30 @@
')
optional_policy(`
- ppp_domtrans(NetworkManager_t)
++ polkit_domtrans_auth(NetworkManager_t)
++ polkit_read_lib(NetworkManager_t)
++')
++
++optional_policy(`
+ ppp_script_domtrans(NetworkManager_t)
ppp_read_pid_files(NetworkManager_t)
ppp_signal(NetworkManager_t)
@@ -13720,6 +13878,460 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega
rpm_exec(pegasus_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.0.8/policy/modules/services/polkit.fc
+--- nsaserefpolicy/policy/modules/services/polkit.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/polkit.fc 2008-10-08 18:02:52.000000000 -0400
+@@ -0,0 +1,9 @@
++
++/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:polkit_auth_exec_t,s0)
++/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:polkit_grant_exec_t,s0)
++/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:polkit_resolve_exec_t,s0)
++/usr/libexec/polkitd -- gen_context(system_u:object_r:polkit_exec_t,s0)
++
++/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
++/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:polkit_var_run_t,s0)
++/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.0.8/policy/modules/services/polkit.if
+--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/polkit.if 2008-10-08 18:02:52.000000000 -0400
+@@ -0,0 +1,213 @@
++
++## policy for polkit_auth
++
++########################################
++##
++## Execute a domain transition to run polkit_auth.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`polkit_domtrans_auth',`
++ gen_require(`
++ type polkit_auth_t;
++ type polkit_auth_exec_t;
++ ')
++
++ domtrans_pattern($1,polkit_auth_exec_t,polkit_auth_t)
++')
++
++########################################
++##
++## Search polkit lib directories.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`polkit_search_lib',`
++ gen_require(`
++ type polkit_var_lib_t;
++ ')
++
++ allow $1 polkit_var_lib_t:dir search_dir_perms;
++ files_search_var_lib($1)
++')
++
++########################################
++##
++## read polkit lib files
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`polkit_read_lib',`
++ gen_require(`
++ type polkit_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ read_files_pattern($1, polkit_var_lib_t, polkit_var_lib_t)
++
++ # Broken placement
++ cron_read_system_job_lib_files($1)
++')
++
++########################################
++##
++## Execute a domain transition to run polkit_grant.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`polkit_domtrans_grant',`
++ gen_require(`
++ type polkit_grant_t;
++ type polkit_grant_exec_t;
++ ')
++
++ domtrans_pattern($1,polkit_grant_exec_t,polkit_grant_t)
++')
++
++########################################
++##
++## Execute a domain transition to run polkit_resolve.
++##
++##
++##
++## Domain allowed to transition.
++##
++##
++#
++interface(`polkit_domtrans_resolve',`
++ gen_require(`
++ type polkit_resolve_t;
++ type polkit_resolve_exec_t;
++ ')
++
++ domtrans_pattern($1,polkit_resolve_exec_t,polkit_resolve_t)
++
++ allow polkit_resolve_t $1:dir list_dir_perms;
++ read_files_pattern(polkit_resolve_t, $1, $1)
++ read_lnk_files_pattern(polkit_resolve_t, $1, $1)
++ allow polkit_resolve_t $1:process getattr;
++')
++
++########################################
++##
++## Execute a policy_grant in the policy_grant domain, and
++## allow the specified role the policy_grant domain,
++## and use the caller's terminal.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed the load_policy domain.
++##
++##
++##
++##
++## The type of the terminal allow the load_policy domain to use.
++##
++##
++##
++#
++interface(`polkit_run_grant',`
++ gen_require(`
++ type polkit_grant_t;
++ ')
++
++ polkit_domtrans_grant($1)
++ role $2 types polkit_grant_t;
++ allow polkit_grant_t $3:chr_file rw_term_perms;
++ allow $1 polkit_grant_t:process signal;
++ read_files_pattern(polkit_grant_t, $1, $1)
++ allow polkit_grant_t $1:process getattr;
++')
++
++########################################
++##
++## Execute a policy_auth in the policy_auth domain, and
++## allow the specified role the policy_auth domain,
++## and use the caller's terminal.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed the load_policy domain.
++##
++##
++##
++##
++## The type of the terminal allow the load_policy domain to use.
++##
++##
++#
++interface(`polkit_run_auth',`
++ gen_require(`
++ type polkit_auth_t;
++ ')
++
++ polkit_domtrans_auth($1)
++ role $2 types polkit_auth_t;
++ allow polkit_auth_t $3:chr_file rw_term_perms;
++')
++
++#######################################
++##
++## The per role template for the nsplugin module.
++##
++##
++##
++## This template creates a derived domains which are used
++## for nsplugin web browser.
++##
++##
++## This template is invoked automatically for each user, and
++## generally does not need to be invoked directly
++## by policy writers.
++##
++##
++##
++##
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++##
++##
++##
++##
++## The type of the user domain.
++##
++##
++##
++##
++## The role associated with the user domain.
++##
++##
++##
++#
++template(`polkit_per_role_template',`
++ polkit_run_auth($2, $3, { $1_devpts_t $1_tty_device_t })
++ polkit_run_grant($2, $3, { $1_devpts_t $1_tty_device_t })
++ polkit_read_lib($2)
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.0.8/policy/modules/services/polkit.te
+--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/polkit.te 2008-10-08 18:02:52.000000000 -0400
+@@ -0,0 +1,220 @@
++policy_module(polkit_auth,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type polkit_t;
++type polkit_exec_t;
++init_daemon_domain(polkit_t, polkit_exec_t)
++
++type polkit_grant_t;
++type polkit_grant_exec_t;
++init_system_domain(polkit_grant_t, polkit_grant_exec_t)
++
++type polkit_resolve_t;
++type polkit_resolve_exec_t;
++init_system_domain(polkit_resolve_t, polkit_resolve_exec_t)
++
++type polkit_auth_t;
++type polkit_auth_exec_t;
++init_daemon_domain(polkit_auth_t, polkit_auth_exec_t)
++
++type polkit_var_lib_t;
++files_type(polkit_var_lib_t)
++
++type polkit_var_run_t;
++files_pid_file(polkit_var_run_t)
++
++########################################
++#
++# polkit local policy
++#
++
++allow polkit_t self:capability setgid;
++allow polkit_t self:process getattr;
++
++allow polkit_t self:unix_dgram_socket create_socket_perms;
++allow polkit_t self:fifo_file rw_file_perms;
++allow polkit_t self:unix_stream_socket create_stream_socket_perms;
++
++can_exec(polkit_t, polkit_exec_t)
++corecmd_exec_bin(polkit_t)
++
++domain_use_interactive_fds(polkit_t)
++
++files_read_etc_files(polkit_t)
++files_read_usr_files(polkit_t)
++
++fs_list_inotifyfs(polkit_t)
++
++kernel_read_kernel_sysctls(polkit_t)
++
++auth_use_nsswitch(polkit_t)
++
++libs_use_ld_so(polkit_t)
++libs_use_shared_libs(polkit_t)
++
++miscfiles_read_localization(polkit_t)
++
++logging_send_syslog_msg(polkit_t)
++
++manage_files_pattern(polkit_t, polkit_var_lib_t, polkit_var_lib_t)
++
++# pid file
++manage_dirs_pattern(polkit_t,polkit_var_run_t,polkit_var_run_t)
++manage_files_pattern(polkit_t,polkit_var_run_t,polkit_var_run_t)
++files_pid_filetrans(polkit_t,polkit_var_run_t, { file dir })
++
++optional_policy(`
++ dbus_system_domain(polkit_t, polkit_exec_t)
++ optional_policy(`
++ consolekit_dbus_chat(polkit_t)
++ ')
++')
++
++########################################
++#
++# polkit_auth local policy
++#
++
++allow polkit_auth_t self:capability setgid;
++allow polkit_auth_t self:process { getattr };
++
++allow polkit_auth_t self:unix_dgram_socket create_socket_perms;
++allow polkit_auth_t self:fifo_file rw_file_perms;
++allow polkit_auth_t self:unix_stream_socket create_stream_socket_perms;
++
++can_exec(polkit_auth_t, polkit_auth_exec_t)
++corecmd_search_bin(polkit_auth_t)
++
++domain_use_interactive_fds(polkit_auth_t)
++
++files_read_etc_files(polkit_auth_t)
++files_read_usr_files(polkit_auth_t)
++
++auth_use_nsswitch(polkit_auth_t)
++
++libs_use_ld_so(polkit_auth_t)
++libs_use_shared_libs(polkit_auth_t)
++
++miscfiles_read_localization(polkit_auth_t)
++
++logging_send_syslog_msg(polkit_auth_t)
++
++manage_files_pattern(polkit_auth_t, polkit_var_lib_t, polkit_var_lib_t)
++
++# pid file
++manage_dirs_pattern(polkit_auth_t,polkit_var_run_t,polkit_var_run_t)
++manage_files_pattern(polkit_auth_t,polkit_var_run_t,polkit_var_run_t)
++files_pid_filetrans(polkit_auth_t,polkit_var_run_t, { file dir })
++
++userdom_append_unpriv_users_home_content_files(polkit_auth_t)
++userdom_dontaudit_read_unpriv_users_home_content_files(polkit_auth_t)
++
++optional_policy(`
++ dbus_system_bus_client_template(polkit_auth, polkit_auth_t)
++ consolekit_dbus_chat(polkit_auth_t)
++ dbus_system_domain(polkit_exec_t, polkit_t)
++')
++
++optional_policy(`
++ hal_getattr(polkit_auth_t)
++ hal_read_state(polkit_auth_t)
++')
++
++########################################
++#
++# polkit_grant local policy
++#
++
++allow polkit_grant_t self:capability setuid;
++allow polkit_grant_t self:process getattr;
++
++allow polkit_grant_t self:unix_dgram_socket create_socket_perms;
++allow polkit_grant_t self:fifo_file rw_file_perms;
++allow polkit_grant_t self:unix_stream_socket create_stream_socket_perms;
++
++can_exec(polkit_grant_t, polkit_grant_exec_t)
++corecmd_search_bin(polkit_grant_t)
++
++files_read_etc_files(polkit_grant_t)
++files_read_usr_files(polkit_grant_t)
++
++auth_use_nsswitch(polkit_grant_t)
++auth_domtrans_chk_passwd(polkit_grant_t)
++
++libs_use_ld_so(polkit_grant_t)
++libs_use_shared_libs(polkit_grant_t)
++
++miscfiles_read_localization(polkit_grant_t)
++
++logging_send_syslog_msg(polkit_grant_t)
++
++polkit_domtrans_auth(polkit_grant_t)
++
++manage_files_pattern(polkit_grant_t,polkit_var_run_t,polkit_var_run_t)
++
++manage_files_pattern(polkit_grant_t, polkit_var_lib_t, polkit_var_lib_t)
++userdom_read_all_users_state(polkit_grant_t)
++
++optional_policy(`
++ dbus_system_bus_client_template(polkit_grant, polkit_grant_t)
++ consolekit_dbus_chat(polkit_grant_t)
++')
++
++gen_require(`
++ type system_crond_var_lib_t;
++')
++manage_files_pattern(polkit_grant_t, system_crond_var_lib_t, system_crond_var_lib_t)
++
++########################################
++#
++# polkit_resolve local policy
++#
++
++allow polkit_resolve_t self:capability { setuid sys_nice sys_ptrace };
++allow polkit_resolve_t self:process getattr;
++
++allow polkit_resolve_t self:unix_dgram_socket create_socket_perms;
++allow polkit_resolve_t self:fifo_file rw_file_perms;
++allow polkit_resolve_t self:unix_stream_socket create_stream_socket_perms;
++
++read_files_pattern(polkit_resolve_t, polkit_var_lib_t, polkit_var_lib_t)
++
++can_exec(polkit_resolve_t, polkit_resolve_exec_t)
++corecmd_search_bin(polkit_resolve_t)
++
++polkit_domtrans_auth(polkit_resolve_t)
++
++files_read_etc_files(polkit_resolve_t)
++files_read_usr_files(polkit_resolve_t)
++
++auth_use_nsswitch(polkit_resolve_t)
++
++libs_use_ld_so(polkit_resolve_t)
++libs_use_shared_libs(polkit_resolve_t)
++
++miscfiles_read_localization(polkit_resolve_t)
++
++logging_send_syslog_msg(polkit_resolve_t)
++userdom_read_all_users_state(polkit_resolve_t)
++userdom_ptrace_all_users(polkit_resolve_t)
++mcs_ptrace_all(polkit_resolve_t)
++
++optional_policy(`
++ dbus_system_bus_client_template(polkit_resolve, polkit_resolve_t)
++ optional_policy(`
++ consolekit_dbus_chat(polkit_resolve_t)
++ ')
++')
++
++optional_policy(`
++ hal_getattr(polkit_resolve_t)
++ hal_read_state(polkit_resolve_t)
++')
++
++optional_policy(`
++ unconfined_ptrace(polkit_resolve_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portmap.te serefpolicy-3.0.8/policy/modules/services/portmap.te
--- nsaserefpolicy/policy/modules/services/portmap.te 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/portmap.te 2008-06-12 23:37:58.000000000 -0400
@@ -15937,57 +16549,70 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.fc serefpolicy-3.0.8/policy/modules/services/rsync.fc
--- nsaserefpolicy/policy/modules/services/rsync.fc 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rsync.fc 2008-06-12 23:37:58.000000000 -0400
-@@ -1,2 +1,4 @@
++++ serefpolicy-3.0.8/policy/modules/services/rsync.fc 2008-10-06 08:55:48.000000000 -0400
+@@ -1,2 +1,6 @@
/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
+
-+/var/log/rsync.log -- gen_context(system_u:object_r:rsync_log_t,s0)
++/var/log/rsync\.log -- gen_context(system_u:object_r:rsync_log_t,s0)
++
++/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.0.8/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rsync.te 2008-06-12 23:37:58.000000000 -0400
-@@ -8,6 +8,13 @@
++++ serefpolicy-3.0.8/policy/modules/services/rsync.te 2008-10-06 08:28:18.000000000 -0400
+@@ -1,5 +1,5 @@
+
+-policy_module(rsync,1.5.0)
++policy_module(rsync, 1.6.1)
+
+ ########################################
+ #
+@@ -8,20 +8,32 @@
##
##
-+## Allow rsync export files read only
++## Allow rsync to export any files/directories read only.
+##
+##
-+gen_tunable(rsync_export_all_ro,false)
++gen_tunable(rsync_export_all_ro, false)
+
+##
+##
## Allow rsync to modify public files
- ## used for public file transfer services.
+-## used for public file transfer services.
++## used for public file transfer services. Files/Directories must be
++## labeled public_content_rw_t.
##
-@@ -17,6 +24,7 @@
+ ##
+-gen_tunable(allow_rsync_anon_write,false)
++gen_tunable(allow_rsync_anon_write, false)
+
type rsync_t;
type rsync_exec_t;
- init_daemon_domain(rsync_t,rsync_exec_t)
+-init_daemon_domain(rsync_t,rsync_exec_t)
++init_daemon_domain(rsync_t, rsync_exec_t)
+application_executable_file(rsync_exec_t)
role system_r types rsync_t;
type rsync_data_t;
-@@ -25,6 +33,9 @@
- type rsync_tmp_t;
- files_tmp_file(rsync_tmp_t)
+ files_type(rsync_data_t)
+type rsync_log_t;
+logging_log_file(rsync_log_t)
+
- type rsync_var_run_t;
- files_pid_file(rsync_var_run_t)
+ type rsync_tmp_t;
+ files_tmp_file(rsync_tmp_t)
-@@ -33,7 +44,7 @@
+@@ -33,7 +45,7 @@
# Local policy
#
-allow rsync_t self:capability sys_chroot;
-+allow rsync_t self:capability { dac_read_search dac_override setuid setgid sys_chroot };
++allow rsync_t self:capability { chown dac_read_search dac_override setuid setgid sys_chroot };
allow rsync_t self:process signal_perms;
allow rsync_t self:fifo_file rw_fifo_file_perms;
allow rsync_t self:tcp_socket create_stream_socket_perms;
-@@ -43,7 +54,6 @@
+@@ -43,19 +55,21 @@
# cjp: this should probably only be inetd_child_t rules?
# search home and kerberos also.
allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
@@ -15995,16 +16620,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
#end for identd
allow rsync_t rsync_data_t:dir list_dir_perms;
-@@ -57,6 +67,8 @@
- manage_files_pattern(rsync_t,rsync_var_run_t,rsync_var_run_t)
- files_pid_filetrans(rsync_t,rsync_var_run_t,file)
-
-+auth_use_nsswitch(rsync_t)
+-read_files_pattern(rsync_t,rsync_data_t,rsync_data_t)
+-read_lnk_files_pattern(rsync_t,rsync_data_t,rsync_data_t)
++read_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
++read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
+
++manage_files_pattern(rsync_t, rsync_log_t, rsync_log_t)
++logging_log_filetrans(rsync_t, rsync_log_t, file)
+
+-manage_dirs_pattern(rsync_t,rsync_tmp_t,rsync_tmp_t)
+-manage_files_pattern(rsync_t,rsync_tmp_t,rsync_tmp_t)
++manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
++manage_files_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
+ files_tmp_filetrans(rsync_t, rsync_tmp_t, { file dir })
+
+-manage_files_pattern(rsync_t,rsync_var_run_t,rsync_var_run_t)
+-files_pid_filetrans(rsync_t,rsync_var_run_t,file)
++manage_files_pattern(rsync_t, rsync_var_run_t, rsync_var_run_t)
++files_pid_filetrans(rsync_t, rsync_var_run_t, file)
+
kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
- kernel_read_network_state(rsync_t)
-@@ -80,17 +92,18 @@
+@@ -80,17 +94,16 @@
files_read_etc_files(rsync_t)
files_search_home(rsync_t)
@@ -16015,8 +16652,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
logging_send_syslog_msg(rsync_t)
-logging_dontaudit_search_logs(rsync_t)
-+manage_files_pattern(rsync_t,rsync_log_t,rsync_log_t)
-+logging_log_filetrans(rsync_t,rsync_log_t,file)
miscfiles_read_localization(rsync_t)
miscfiles_read_public_files(rsync_t)
@@ -16026,15 +16661,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn
tunable_policy(`allow_rsync_anon_write',`
miscfiles_manage_public_files(rsync_t)
')
-@@ -107,10 +120,7 @@
- inetd_service_domain(rsync_t,rsync_exec_t)
+@@ -104,13 +117,10 @@
')
--optional_policy(`
-- nis_use_ypbind(rsync_t)
+ optional_policy(`
+- inetd_service_domain(rsync_t,rsync_exec_t)
-')
-
-optional_policy(`
+- nis_use_ypbind(rsync_t)
++ inetd_service_domain(rsync_t, rsync_exec_t)
+ ')
+
+-optional_policy(`
- nscd_socket_use(rsync_t)
+tunable_policy(`rsync_export_all_ro',`
+ fs_read_noxattr_fs_files(rsync_t)
@@ -21918,7 +22557,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.0.8/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/miscfiles.if 2008-06-12 23:37:59.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/miscfiles.if 2008-10-01 08:07:37.000000000 -0400
@@ -57,6 +57,26 @@
##
##
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 476edf8..da3e3f8 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 117%{?dist}
+Release: 118%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -381,6 +381,9 @@ exit 0
%endif
%changelog
+* Wed Oct 8 2008 Dan Walsh 3.0.8-118
+- Add policykit policy
+
* Thu Sep 25 2008 Dan Walsh 3.0.8-117
- Update networkmanager to latest upstream version