[selinux-policy: 2057/3172] trunk: 5 patches from dan.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:02:37 UTC 2010 

commit fcee22ad0dc6540d781e69fc9c6369234688f973
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Nov 19 15:24:10 2008 +0000

    trunk: 5 patches from dan.

 policy/modules/services/audioentropy.fc |    2 +
 policy/modules/services/audioentropy.te |    6 ++-
 policy/modules/services/avahi.fc        |    4 ++
 policy/modules/services/avahi.if        |   90 +++++++++++++++++++++++++++++++
 policy/modules/services/avahi.te        |   15 +++++-
 policy/modules/services/bluetooth.fc    |    5 ++
 policy/modules/services/bluetooth.if    |   53 ++++++++++++++++++
 policy/modules/services/bluetooth.te    |   19 +++++--
 policy/modules/services/dcc.if          |   18 ++++++
 policy/modules/services/dcc.te          |   58 ++++++--------------
 policy/modules/services/hal.fc          |    3 +-
 policy/modules/services/hal.if          |   39 +++++++++++++
 policy/modules/services/hal.te          |   23 ++++++--
 13 files changed, 280 insertions(+), 55 deletions(-)
---
diff --git a/policy/modules/services/audioentropy.fc b/policy/modules/services/audioentropy.fc
index bcf3e1c..001235e 100644
--- a/policy/modules/services/audioentropy.fc
+++ b/policy/modules/services/audioentropy.fc
@@ -2,3 +2,5 @@
 # /usr
 #
 /usr/sbin/audio-entropyd	--	gen_context(system_u:object_r:entropyd_exec_t,s0)
+
+/var/run/audio-entropyd\.pid	--	gen_context(system_u:object_r:entropyd_var_run_t,s0)
diff --git a/policy/modules/services/audioentropy.te b/policy/modules/services/audioentropy.te
index 64a716a..d56d600 100644
--- a/policy/modules/services/audioentropy.te
+++ b/policy/modules/services/audioentropy.te
@@ -1,5 +1,5 @@
 
-policy_module(audio_entropy, 1.4.1)
+policy_module(audio_entropy, 1.4.2)
 
 ########################################
 #
@@ -35,6 +35,10 @@ dev_write_urand(entropyd_t)
 dev_read_rand(entropyd_t)
 dev_write_rand(entropyd_t)
 dev_read_sound(entropyd_t)
+# set sound card parameters such as
+# sample format, number of channels
+# and sample rate.
+dev_write_sound(entropyd_t)
 
 fs_getattr_all_fs(entropyd_t)
 fs_search_auto_mountpoints(entropyd_t)
diff --git a/policy/modules/services/avahi.fc b/policy/modules/services/avahi.fc
index 49dcc5f..01a01a7 100644
--- a/policy/modules/services/avahi.fc
+++ b/policy/modules/services/avahi.fc
@@ -1,5 +1,9 @@
+/etc/rc\.d/init\.d/avahi.*	--	gen_context(system_u:object_r:avahi_initrc_exec_t,s0)
 
 /usr/sbin/avahi-daemon		--	gen_context(system_u:object_r:avahi_exec_t,s0)
 /usr/sbin/avahi-dnsconfd 	--	gen_context(system_u:object_r:avahi_exec_t,s0)
+/usr/sbin/avahi-autoipd 	--	gen_context(system_u:object_r:avahi_exec_t,s0)
 
 /var/run/avahi-daemon(/.*)? 		gen_context(system_u:object_r:avahi_var_run_t,s0)
+
+/usr/lib/avahi-autoipd(/.*)		gen_context(system_u:object_r:avahi_var_lib_t,s0)
diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if
index 607c113..74823c8 100644
--- a/policy/modules/services/avahi.if
+++ b/policy/modules/services/avahi.if
@@ -2,6 +2,61 @@
 
 ########################################
 ## <summary>
+##	Execute avahi server in the avahi domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`avahi_domtrans',`
+	gen_require(`
+		type avahi_exec_t, avahi_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, avahi_exec_t, avahi_t)
+')
+
+########################################
+## <summary>
+##	Send avahi a signal
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`avahi_signal',`
+	gen_require(`
+		type avahi_t;
+	')
+
+	allow $1 avahi_t:process signal;
+')
+
+########################################
+## <summary>
+##	Send avahi a kill signal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`avahi_kill',`
+	gen_require(`
+		type avahi_t;
+	')
+
+	allow $1 avahi_t:process sigkill;
+')
+
+########################################
+## <summary>
 ##	Send and receive messages from
 ##	avahi over dbus.
 ## </summary>
@@ -57,3 +112,38 @@ interface(`avahi_dontaudit_search_pid',`
 
 	dontaudit $1 avahi_var_run_t:dir search_dir_perms;
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an avahi environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the avahi domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`avahi_admin',`
+	gen_require(`
+		type avahi_t, avahi_var_run_t;
+		type avahi_initrc_exec_t;
+	')
+
+	allow $1 avahi_t:process { ptrace signal_perms };
+	ps_process_pattern($1, avahi_t)
+
+	init_labeled_script_domtrans($1, avahi_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 avahi_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_pids($1)
+	admin_pattern($1, avahi_var_run_t)
+')
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index 8120ad5..719990a 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -1,5 +1,5 @@
 
-policy_module(avahi, 1.9.1)
+policy_module(avahi, 1.9.2)
 
 ########################################
 #
@@ -10,6 +10,12 @@ type avahi_t;
 type avahi_exec_t;
 init_daemon_domain(avahi_t, avahi_exec_t)
 
+type avahi_initrc_exec_t;
+init_script_file(avahi_initrc_exec_t)
+
+type avahi_var_lib_t;
+files_pid_file(avahi_var_lib_t)
+
 type avahi_var_run_t;
 files_pid_file(avahi_var_run_t)
 
@@ -20,13 +26,17 @@ files_pid_file(avahi_var_run_t)
 
 allow avahi_t self:capability { dac_override setgid chown fowner kill setuid sys_chroot };
 dontaudit avahi_t self:capability sys_tty_config;
-allow avahi_t self:process { setrlimit signal_perms setcap };
+allow avahi_t self:process { setrlimit signal_perms getcap setcap };
 allow avahi_t self:fifo_file rw_fifo_file_perms;
 allow avahi_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow avahi_t self:unix_dgram_socket create_socket_perms;
 allow avahi_t self:tcp_socket create_stream_socket_perms;
 allow avahi_t self:udp_socket create_socket_perms;
 
+manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
+manage_files_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
+files_var_lib_filetrans(avahi_t, avahi_var_lib_t, { dir file })
+
 manage_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
 manage_sock_files_pattern(avahi_t, avahi_var_run_t, avahi_var_run_t)
 allow avahi_t avahi_var_run_t:dir setattr;
@@ -73,6 +83,7 @@ init_signull_script(avahi_t)
 logging_send_syslog_msg(avahi_t)
 
 miscfiles_read_localization(avahi_t)
+miscfiles_read_certs(avahi_t)
 
 userdom_dontaudit_use_unpriv_user_fds(avahi_t)
 userdom_dontaudit_search_user_home_dirs(avahi_t)
diff --git a/policy/modules/services/bluetooth.fc b/policy/modules/services/bluetooth.fc
index 3cb34d0..caa9338 100644
--- a/policy/modules/services/bluetooth.fc
+++ b/policy/modules/services/bluetooth.fc
@@ -3,6 +3,9 @@
 #
 /etc/bluetooth(/.*)?		gen_context(system_u:object_r:bluetooth_conf_t,s0)
 /etc/bluetooth/link_key		gen_context(system_u:object_r:bluetooth_conf_rw_t,s0)
+/etc/rc\.d/init\.d/bluetooth --	gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/dund	--	gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/pand	--	gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
 
 #
 # /usr
@@ -21,4 +24,6 @@
 # /var
 #
 /var/lib/bluetooth(/.*)?	gen_context(system_u:object_r:bluetooth_var_lib_t,s0)
+
+/var/run/bluetoothd_address	gen_context(system_u:object_r:bluetooth_var_run_t,s0)
 /var/run/sdp		-s	gen_context(system_u:object_r:bluetooth_var_run_t,s0)
diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
index edf2769..f6028fd 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -152,3 +152,56 @@ interface(`bluetooth_dontaudit_read_helper_state',`
 	dontaudit $1 bluetooth_helper_t:dir search;
 	dontaudit $1 bluetooth_helper_t:file { read getattr };
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an bluetooth environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the bluetooth domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`bluetooth_admin',`
+	gen_require(`
+		type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
+		type bluetooth_spool_t, bluetooth_var_lib_t, bluetooth_var_run_t;
+		type bluetooth_conf_t, bluetooth_conf_rw_t;
+		type bluetooth_initrc_exec_t;
+	')
+
+	allow $1 bluetooth_t:process { ptrace signal_perms };
+	ps_process_pattern($1, bluetooth_t)
+
+	init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 bluetooth_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, bluetooth_tmp_t)
+
+	files_list_var($1)
+	admin_pattern($1, bluetooth_lock_t)
+
+	files_list_etc($1)
+	admin_pattern($1, bluetooth_conf_t)
+	admin_pattern($1, bluetooth_conf_rw_t)
+
+	files_list_spool($1)
+	admin_pattern($1, bluetooth_spool_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, bluetooth_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, bluetooth_var_run_t)
+')
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
index 302dd11..ad014bd 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -1,5 +1,5 @@
 
-policy_module(bluetooth, 3.0.0)
+policy_module(bluetooth, 3.0.1)
 
 ########################################
 #
@@ -34,6 +34,9 @@ typealias bluetooth_helper_tmpfs_t alias { auditadm_bluetooth_helper_tmpfs_t sec
 files_tmpfs_file(bluetooth_helper_tmpfs_t)
 ubac_constrained(bluetooth_helper_tmpfs_t)
 
+type bluetooth_initrc_exec_t;
+init_script_file(bluetooth_initrc_exec_t)
+
 type bluetooth_lock_t;
 files_lock_file(bluetooth_lock_t)
 
@@ -51,14 +54,14 @@ files_pid_file(bluetooth_var_run_t)
 # Bluetooth services local policy
 #
 
-allow bluetooth_t self:capability { net_bind_service net_admin net_raw sys_tty_config ipc_lock };
+allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw sys_tty_config ipc_lock };
 dontaudit bluetooth_t self:capability sys_tty_config;
 allow bluetooth_t self:process { getsched signal_perms };
 allow bluetooth_t self:fifo_file rw_fifo_file_perms;
 allow bluetooth_t self:shm create_shm_perms;
 allow bluetooth_t self:socket create_stream_socket_perms;
 allow bluetooth_t self:unix_dgram_socket create_socket_perms;
-allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
+allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow bluetooth_t self:tcp_socket create_stream_socket_perms;
 allow bluetooth_t self:udp_socket create_socket_perms;
 
@@ -106,6 +109,7 @@ dev_read_sysfs(bluetooth_t)
 dev_rw_usbfs(bluetooth_t)
 dev_rw_generic_usb_dev(bluetooth_t)
 dev_read_urand(bluetooth_t)
+dev_rw_input_dev(bluetooth_t)
 
 fs_getattr_all_fs(bluetooth_t)
 fs_search_auto_mountpoints(bluetooth_t)
@@ -124,12 +128,13 @@ files_read_etc_files(bluetooth_t)
 files_read_etc_runtime_files(bluetooth_t)
 files_read_usr_files(bluetooth_t)
 
+auth_use_nsswitch(bluetooth_t)
+
 logging_send_syslog_msg(bluetooth_t)
 
 miscfiles_read_localization(bluetooth_t)
 miscfiles_read_fonts(bluetooth_t)
-
-sysnet_read_config(bluetooth_t)
+miscfiles_read_hwdata(bluetooth_t)
 
 userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
 userdom_dontaudit_use_user_terminals(bluetooth_t)
@@ -138,6 +143,10 @@ userdom_dontaudit_search_user_home_dirs(bluetooth_t)
 optional_policy(`
 	dbus_system_bus_client(bluetooth_t)
 	dbus_connect_system_bus(bluetooth_t)
+
+	optional_policy(`
+		cups_dbus_chat(bluetooth_t)
+	')
 ')
 
 optional_policy(`
diff --git a/policy/modules/services/dcc.if b/policy/modules/services/dcc.if
index 80102a7..7073379 100644
--- a/policy/modules/services/dcc.if
+++ b/policy/modules/services/dcc.if
@@ -66,6 +66,24 @@ interface(`dcc_domtrans_client',`
 
 ########################################
 ## <summary>
+##	Send a signal to the dcc_client.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dcc_signal_client',`
+	gen_require(`
+		type dcc_client_t;
+	')
+
+	allow $1 dcc_client_t:process signal;
+')
+
+########################################
+## <summary>
 ##	Execute dcc_client in the dcc_client domain, and
 ##	allow the specified role the dcc_client domain.
 ## </summary>
diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te
index baddef3..d49af9a 100644
--- a/policy/modules/services/dcc.te
+++ b/policy/modules/services/dcc.te
@@ -1,5 +1,5 @@
 
-policy_module(dcc, 1.6.1)
+policy_module(dcc, 1.6.2)
 
 ########################################
 #
@@ -105,25 +105,20 @@ corenet_udp_sendrecv_all_ports(cdcc_t)
 files_read_etc_files(cdcc_t)
 files_read_etc_runtime_files(cdcc_t)
 
+auth_use_nsswitch(cdcc_t)
+
 logging_send_syslog_msg(cdcc_t)
 
 miscfiles_read_localization(cdcc_t)
 
-sysnet_read_config(cdcc_t)
-sysnet_dns_name_resolve(cdcc_t)
-
 userdom_use_user_terminals(cdcc_t)
 
-optional_policy(`
-	nscd_socket_use(cdcc_t)
-')
-
 ########################################
 #
 # dcc procmail interface local policy
 #
 
-allow dcc_client_t self:capability setuid;
+allow dcc_client_t self:capability { setuid setgid };
 allow dcc_client_t self:unix_dgram_socket create_socket_perms;
 allow dcc_client_t self:udp_socket create_socket_perms;
 
@@ -138,6 +133,8 @@ allow dcc_client_t dcc_var_t:dir list_dir_perms;
 read_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
 read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
 
+kernel_read_system_state(dcc_client_t)
+
 corenet_all_recvfrom_unlabeled(dcc_client_t)
 corenet_all_recvfrom_netlabel(dcc_client_t)
 corenet_udp_sendrecv_generic_if(dcc_client_t)
@@ -147,17 +144,16 @@ corenet_udp_sendrecv_all_ports(dcc_client_t)
 files_read_etc_files(dcc_client_t)
 files_read_etc_runtime_files(dcc_client_t)
 
+auth_use_nsswitch(dcc_client_t)
+
 logging_send_syslog_msg(dcc_client_t)
 
 miscfiles_read_localization(dcc_client_t)
 
-sysnet_read_config(dcc_client_t)
-sysnet_dns_name_resolve(dcc_client_t)
-
 userdom_use_user_terminals(dcc_client_t)
 
 optional_policy(`
-	nscd_socket_use(dcc_client_t)
+	spamassassin_read_spamd_tmp_files(dcc_client_t)
 ')
 
 ########################################
@@ -189,19 +185,14 @@ corenet_udp_sendrecv_all_ports(dcc_dbclean_t)
 files_read_etc_files(dcc_dbclean_t)
 files_read_etc_runtime_files(dcc_dbclean_t)
 
+auth_use_nsswitch(dcc_dbclean_t)
+
 logging_send_syslog_msg(dcc_dbclean_t)
 
 miscfiles_read_localization(dcc_dbclean_t)
 
-sysnet_read_config(dcc_dbclean_t)
-sysnet_dns_name_resolve(dcc_dbclean_t)
-
 userdom_use_user_terminals(dcc_dbclean_t)
 
-optional_policy(`
-	nscd_socket_use(dcc_dbclean_t)
-')
-
 ########################################
 #
 # Server daemon local policy
@@ -259,21 +250,16 @@ files_read_etc_runtime_files(dccd_t)
 fs_getattr_all_fs(dccd_t)
 fs_search_auto_mountpoints(dccd_t)
 
+auth_use_nsswitch(dccd_t)
+
 logging_send_syslog_msg(dccd_t)
 
 miscfiles_read_localization(dccd_t)
 
-sysnet_read_config(dccd_t)
-sysnet_dns_name_resolve(dccd_t)
-
 userdom_dontaudit_use_unpriv_user_fds(dccd_t)
 userdom_dontaudit_search_user_home_dirs(dccd_t)
 
 optional_policy(`
-	nscd_socket_use(dccd_t)
-')
-
-optional_policy(`
 	seutil_sigchld_newrole(dccd_t)
 ')
 
@@ -329,21 +315,16 @@ files_read_etc_runtime_files(dccifd_t)
 fs_getattr_all_fs(dccifd_t)
 fs_search_auto_mountpoints(dccifd_t)
 
+auth_use_nsswitch(dccifd_t)
+
 logging_send_syslog_msg(dccifd_t)
 
 miscfiles_read_localization(dccifd_t)
 
-sysnet_read_config(dccifd_t)
-sysnet_dns_name_resolve(dccifd_t)
-
 userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
 userdom_dontaudit_search_user_home_dirs(dccifd_t)
 
 optional_policy(`
-	nscd_socket_use(dccifd_t)
-')
-
-optional_policy(`
 	seutil_sigchld_newrole(dccifd_t)
 ')
 
@@ -398,21 +379,16 @@ files_read_etc_runtime_files(dccm_t)
 fs_getattr_all_fs(dccm_t)
 fs_search_auto_mountpoints(dccm_t)
 
+auth_use_nsswitch(dccm_t)
+
 logging_send_syslog_msg(dccm_t)
 
 miscfiles_read_localization(dccm_t)
 
-sysnet_read_config(dccm_t)
-sysnet_dns_name_resolve(dccm_t)
-
 userdom_dontaudit_use_unpriv_user_fds(dccm_t)
 userdom_dontaudit_search_user_home_dirs(dccm_t)
 
 optional_policy(`
-	nscd_socket_use(dccm_t)
-')
-
-optional_policy(`
 	seutil_sigchld_newrole(dccm_t)
 ')
 
diff --git a/policy/modules/services/hal.fc b/policy/modules/services/hal.fc
index 130c317..cd17ac5 100644
--- a/policy/modules/services/hal.fc
+++ b/policy/modules/services/hal.fc
@@ -9,6 +9,7 @@
 /usr/libexec/hal-system-sonypic	 	--	gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
 /usr/libexec/hald-addon-macbookpro-backlight --	gen_context(system_u:object_r:hald_mac_exec_t,s0)
 /usr/libexec/hald-addon-macbook-backlight --	gen_context(system_u:object_r:hald_mac_exec_t,s0)
+/usr/sbin/radeontool			--	gen_context(system_u:object_r:hald_mac_exec_t,s0)
 
 /usr/sbin/hald		--			gen_context(system_u:object_r:hald_exec_t,s0)
 
@@ -17,7 +18,7 @@
 /var/lib/hal(/.*)?				gen_context(system_u:object_r:hald_var_lib_t,s0)
 
 /var/log/pm(/.*)?				gen_context(system_u:object_r:hald_log_t,s0)
-/var/log/pm-suspend\.log			gen_context(system_u:object_r:hald_log_t,s0)
+/var/log/pm-.*\.log				gen_context(system_u:object_r:hald_log_t,s0)
 
 /var/run/hald(/.*)?				gen_context(system_u:object_r:hald_var_run_t,s0)
 /var/run/haldaemon\.pid	--	 		gen_context(system_u:object_r:hald_var_run_t,s0)
diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if
index e95a24c..43c653c 100644
--- a/policy/modules/services/hal.if
+++ b/policy/modules/services/hal.if
@@ -20,6 +20,45 @@ interface(`hal_domtrans',`
 
 ########################################
 ## <summary>
+##	Get the attributes of a hal process.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_getattr',`
+	gen_require(`
+		type hald_t;
+	')
+
+	allow $1 hald_t:process getattr;
+')
+
+########################################
+## <summary>
+##	Read hal system state
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`hal_read_state',`
+	gen_require(`
+		type hald_t;
+	')
+
+	allow $1 hald_t:dir list_dir_perms;
+	read_files_pattern($1, hald_t, hald_t)
+	read_lnk_files_pattern($1, hald_t, hald_t)
+	dontaudit $1 hald_t:process ptrace;
+')
+
+########################################
+## <summary>
 ##	Allow ptrace of hal domain
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
index 3e49a36..04ec5ae 100644
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
 
-policy_module(hal, 1.10.1)
+policy_module(hal, 1.10.2)
 
 ########################################
 #
@@ -297,6 +297,10 @@ optional_policy(`
 	vbetool_domtrans(hald_t)
 ')
 
+optional_policy(`
+	virt_manage_images(hald_t)
+')
+
 ########################################
 #
 # Hal acl local policy
@@ -338,6 +342,8 @@ storage_setattr_removable_dev(hald_acl_t)
 
 auth_use_nsswitch(hald_acl_t)
 
+logging_send_syslog_msg(hald_acl_t)
+
 miscfiles_read_localization(hald_acl_t)
 
 ########################################
@@ -345,6 +351,8 @@ miscfiles_read_localization(hald_acl_t)
 # Local hald mac policy
 #
 
+allow hald_mac_t self:capability { setgid setuid };
+
 domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
 allow hald_t hald_mac_t:process signal;
 allow hald_mac_t hald_t:unix_stream_socket connectto;
@@ -353,6 +361,8 @@ manage_dirs_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t)
 manage_files_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t)
 files_search_var_lib(hald_mac_t)
 
+write_files_pattern(hald_mac_t, hald_log_t, hald_log_t)
+
 kernel_read_system_state(hald_mac_t)
 
 dev_read_raw_memory(hald_mac_t)
@@ -360,6 +370,9 @@ dev_write_raw_memory(hald_mac_t)
 dev_read_sysfs(hald_mac_t)
 
 files_read_usr_files(hald_mac_t)
+files_read_etc_files(hald_mac_t)
+
+auth_use_nsswitch(hald_mac_t)
 
 miscfiles_read_localization(hald_mac_t)
 
@@ -379,6 +392,8 @@ manage_dirs_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t)
 manage_files_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t)
 files_search_var_lib(hald_sonypic_t)
 
+write_files_pattern(hald_sonypic_t, hald_log_t, hald_log_t)
+
 files_read_usr_files(hald_sonypic_t)
 
 miscfiles_read_localization(hald_sonypic_t)
@@ -396,12 +411,10 @@ manage_dirs_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t)
 manage_files_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t)
 files_search_var_lib(hald_keymap_t)
 
+write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t)
+
 dev_rw_input_dev(hald_keymap_t)
 
 files_read_usr_files(hald_keymap_t)
 
 miscfiles_read_localization(hald_keymap_t)
-
-# This is caused by a bug in hald and PolicyKit.  
-# Should be removed when this is fixed
-#cron_read_system_job_lib_files(hald_t)

More information about the scm-commits mailing list