Dan Walsh e96605
diff -up serefpolicy-3.10.0/policy/modules/kernel/devices.if.systemd serefpolicy-3.10.0/policy/modules/kernel/devices.if
Dan Walsh e96605
--- serefpolicy-3.10.0/policy/modules/kernel/devices.if.systemd	2012-01-13 12:21:08.578666030 -0500
Dan Walsh e96605
+++ serefpolicy-3.10.0/policy/modules/kernel/devices.if	2012-01-13 12:21:08.678669095 -0500
Dan Walsh 86d3f6
@@ -143,13 +143,13 @@ interface(`dev_relabel_all_dev_nodes',`
Dan Walsh 86d3f6
 		type device_t;
Dan Walsh 86d3f6
 	')
Dan Walsh 86d3f6
 
Dan Walsh 86d3f6
-	relabelfrom_dirs_pattern($1, device_t, device_node)
Dan Walsh 86d3f6
-	relabelfrom_files_pattern($1, device_t, device_node)
Dan Walsh 86d3f6
-	relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
Dan Walsh 86d3f6
-	relabel_fifo_files_pattern($1, device_t,  { device_t device_node })
Dan Walsh 86d3f6
-	relabel_sock_files_pattern($1, device_t, { device_t device_node })
Dan Walsh 86d3f6
-	relabel_blk_files_pattern($1, device_t, { device_t device_node })
Dan Walsh 86d3f6
-	relabel_chr_files_pattern($1, device_t, { device_t device_node })
Dan Walsh 86d3f6
+	relabel_dirs_pattern($1, device_t, device_node)
Dan Walsh 86d3f6
+	relabel_files_pattern($1, device_t, device_node)
Dan Walsh 86d3f6
+	relabel_lnk_files_pattern($1, device_t, device_node)
Dan Walsh 86d3f6
+	relabel_fifo_files_pattern($1, device_t,  device_node)
Dan Walsh 86d3f6
+	relabel_sock_files_pattern($1, device_t, device_node)
Dan Walsh 86d3f6
+	relabel_blk_files_pattern($1, device_t, device_node)
Dan Walsh 86d3f6
+	relabel_chr_files_pattern($1, device_t, device_node)
Dan Walsh 86d3f6
 ')
Dan Walsh 86d3f6
 
Dan Walsh 86d3f6
 ########################################
Dan Walsh ba7c7a
@@ -4201,6 +4201,27 @@ interface(`dev_read_cpu_online',`
Dan Walsh 86d3f6
 
Dan Walsh 86d3f6
 ########################################
Dan Walsh 86d3f6
 ## <summary>
Dan Walsh 86d3f6
+##	Relabel cpu online hardware state information.
Dan Walsh 86d3f6
+## </summary>
Dan Walsh 86d3f6
+## <param name="domain">
Dan Walsh 86d3f6
+##	<summary>
Dan Walsh 86d3f6
+##	Domain allowed access.
Dan Walsh 86d3f6
+##	</summary>
Dan Walsh 86d3f6
+## </param>
Dan Walsh 86d3f6
+#
Dan Walsh ba7c7a
+interface(`dev_relabel_cpu_online',`
Dan Walsh 86d3f6
+	gen_require(`
Dan Walsh 86d3f6
+		type cpu_online_t;
Dan Walsh 86d3f6
+		type sysfs_t;
Dan Walsh 86d3f6
+	')
Dan Walsh 86d3f6
+
Dan Walsh 86d3f6
+	dev_search_sysfs($1)
Dan Walsh 86d3f6
+	allow $1 cpu_online_t:file relabel;
Dan Walsh 86d3f6
+')
Dan Walsh 86d3f6
+
Dan Walsh 86d3f6
+
Dan Walsh 86d3f6
+########################################
Dan Walsh 86d3f6
+## <summary>
Dan Walsh 86d3f6
 ##	Read hardware state information.
Dan Walsh 86d3f6
 ## </summary>
Dan Walsh 86d3f6
 ## <desc>
Dan Walsh e96605
@@ -4269,6 +4290,26 @@ interface(`dev_relabel_sysfs_dirs',`
Dan Walsh e96605
 ')
Dan Walsh 86d3f6
 
Dan Walsh 86d3f6
 ########################################
Dan Walsh e96605
+## <summary>
Dan Walsh 86d3f6
+##	Relabel hardware state files
Dan Walsh 86d3f6
+## </summary>
Dan Walsh 86d3f6
+## <param name="domain">
Dan Walsh 86d3f6
+##	<summary>
Dan Walsh 86d3f6
+##	Domain allowed access.
Dan Walsh 86d3f6
+##	</summary>
Dan Walsh 86d3f6
+## </param>
Dan Walsh 86d3f6
+#
Dan Walsh 86d3f6
+interface(`dev_relabel_all_sysfs',`
Dan Walsh 86d3f6
+	gen_require(`
Dan Walsh 86d3f6
+		type sysfs_t;
Dan Walsh 86d3f6
+	')
Dan Walsh 86d3f6
+
Dan Walsh 86d3f6
+	relabel_dirs_pattern($1, sysfs_t, sysfs_t)
Dan Walsh 86d3f6
+	relabel_files_pattern($1, sysfs_t, sysfs_t)
Dan Walsh 86d3f6
+	relabel_lnk_files_pattern($1, sysfs_t, sysfs_t)
Dan Walsh 86d3f6
+')
Dan Walsh 86d3f6
+
Dan Walsh 86d3f6
+########################################
Dan Walsh e96605
 ## <summary>
Dan Walsh 86d3f6
 ##	Allow caller to modify hardware state information.
Dan Walsh 86d3f6
 ## </summary>
Dan Walsh e96605
diff -up serefpolicy-3.10.0/policy/modules/roles/staff.te.systemd serefpolicy-3.10.0/policy/modules/roles/staff.te
Dan Walsh e96605
--- serefpolicy-3.10.0/policy/modules/roles/staff.te.systemd	2012-01-13 12:21:08.586666274 -0500
Dan Walsh e96605
+++ serefpolicy-3.10.0/policy/modules/roles/staff.te	2012-01-13 12:21:08.678669095 -0500
Dan Walsh 86d3f6
@@ -70,6 +70,10 @@ optional_policy(`
Dan Walsh 86d3f6
 ')
Dan Walsh 86d3f6
 
Dan Walsh 86d3f6
 optional_policy(`
Dan Walsh 86d3f6
+	bluetooth_role(staff_r, staff_t)
Dan Walsh 86d3f6
+')
Dan Walsh 86d3f6
+
Dan Walsh 86d3f6
+optional_policy(`
Dan Walsh 86d3f6
 	dbadm_role_change(staff_r)
Dan Walsh 86d3f6
 ')
Dan Walsh 86d3f6
 
Dan Walsh 86d3f6
@@ -238,10 +242,6 @@ ifndef(`distro_redhat',`
Dan Walsh 86d3f6
 	')
Dan Walsh 86d3f6
 
Dan Walsh 86d3f6
 	optional_policy(`
Dan Walsh 86d3f6
-		bluetooth_role(staff_r, staff_t)
Dan Walsh 86d3f6
-	')
Dan Walsh 86d3f6
-
Dan Walsh 86d3f6
-	optional_policy(`
Dan Walsh 86d3f6
 		cdrecord_role(staff_r, staff_t)
Dan Walsh 86d3f6
 	')
Dan Walsh 86d3f6
 
Dan Walsh e96605
diff -up serefpolicy-3.10.0/policy/modules/roles/unprivuser.te.systemd serefpolicy-3.10.0/policy/modules/roles/unprivuser.te
Dan Walsh e96605
--- serefpolicy-3.10.0/policy/modules/roles/unprivuser.te.systemd	2012-01-13 12:21:08.586666274 -0500
Dan Walsh e96605
+++ serefpolicy-3.10.0/policy/modules/roles/unprivuser.te	2012-01-13 12:21:08.678669095 -0500
Dan Walsh 86d3f6
@@ -35,6 +35,10 @@ optional_policy(`
Dan Walsh 86d3f6
 ')
Dan Walsh 86d3f6
 
Dan Walsh 86d3f6
 optional_policy(`
Dan Walsh 86d3f6
+	bluetooth_role(user_r, user_t)
Dan Walsh 86d3f6
+')
Dan Walsh 86d3f6
+
Dan Walsh 86d3f6
+optional_policy(`
Dan Walsh 86d3f6
 	colord_dbus_chat(user_t)
Dan Walsh 86d3f6
 ')
Dan Walsh 86d3f6
 
Dan Walsh e96605
diff -up serefpolicy-3.10.0/policy/modules/services/apache.fc.systemd serefpolicy-3.10.0/policy/modules/services/apache.fc
Dan Walsh e96605
--- serefpolicy-3.10.0/policy/modules/services/apache.fc.systemd	2012-01-13 12:21:08.589666367 -0500
Dan Walsh e96605
+++ serefpolicy-3.10.0/policy/modules/services/apache.fc	2012-01-13 12:21:08.678669095 -0500
Dan Walsh cd25a7
@@ -140,6 +140,8 @@ ifdef(`distro_debian', `
Dan Walsh cd25a7
 
Dan Walsh cd25a7
 /var/www/gallery/albums(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
Dan Walsh cd25a7
 
Dan Walsh cd25a7
+/var/www/moodledata(/.*)?		gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
Dan Walsh cd25a7
+
Dan Walsh cd25a7
 /var/www/svn(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
Dan Walsh cd25a7
 /var/www/svn/hooks(/.*)?		gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
Dan Walsh cd25a7
 /var/www/svn/conf(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
Dan Walsh e96605
diff -up serefpolicy-3.10.0/policy/modules/services/blueman.te.systemd serefpolicy-3.10.0/policy/modules/services/blueman.te
Dan Walsh e96605
--- serefpolicy-3.10.0/policy/modules/services/blueman.te.systemd	2012-01-13 12:21:08.594666519 -0500
Dan Walsh e96605
+++ serefpolicy-3.10.0/policy/modules/services/blueman.te	2012-01-13 12:21:08.679669126 -0500
Dan Walsh 86d3f6
@@ -36,3 +36,7 @@ miscfiles_read_localization(blueman_t)
Dan Walsh 86d3f6
 optional_policy(`
Dan Walsh 86d3f6
 	avahi_domtrans(blueman_t)
Dan Walsh 86d3f6
 ')
Dan Walsh 86d3f6
+
Dan Walsh 86d3f6
+optional_policy(`
Dan Walsh 86d3f6
+	gnome_search_gconf(blueman_t)
Dan Walsh 86d3f6
+')
Dan Walsh e96605
diff -up serefpolicy-3.10.0/policy/modules/services/entropyd.te.systemd serefpolicy-3.10.0/policy/modules/services/entropyd.te
Dan Walsh e96605
--- serefpolicy-3.10.0/policy/modules/services/entropyd.te.systemd	2012-01-13 12:21:08.609666980 -0500
Dan Walsh e96605
+++ serefpolicy-3.10.0/policy/modules/services/entropyd.te	2012-01-13 12:21:08.679669126 -0500
Dan Walsh 86d3f6
@@ -52,6 +52,8 @@ domain_use_interactive_fds(entropyd_t)
Dan Walsh 86d3f6
 
Dan Walsh 86d3f6
 logging_send_syslog_msg(entropyd_t)
Dan Walsh 86d3f6
 
Dan Walsh 86d3f6
+auth_use_nsswitch(entropyd_t)
Dan Walsh 86d3f6
+
Dan Walsh 86d3f6
 miscfiles_read_localization(entropyd_t)
Dan Walsh 86d3f6
 
Dan Walsh 86d3f6
 userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
Dan Walsh e96605
diff -up serefpolicy-3.10.0/policy/modules/services/virt.fc.systemd serefpolicy-3.10.0/policy/modules/services/virt.fc
Dan Walsh e96605
--- serefpolicy-3.10.0/policy/modules/services/virt.fc.systemd	2012-01-13 12:21:08.653668329 -0500
Dan Walsh e96605
+++ serefpolicy-3.10.0/policy/modules/services/virt.fc	2012-01-13 12:21:08.679669126 -0500
Dan Walsh e96605
@@ -49,3 +49,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_
Dan Walsh 86d3f6
 
Dan Walsh 86d3f6
 # support for nova-stack
Dan Walsh 86d3f6
 /usr/bin/nova-compute       --  gen_context(system_u:object_r:virtd_exec_t,s0)
Dan Walsh 86d3f6
+/usr/bin/qemu		--	gen_context(system_u:object_r:qemu_exec_t,s0)
Dan Walsh 86d3f6
+/usr/bin/qemu-system-.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
Dan Walsh 86d3f6
+/usr/bin/qemu-kvm	--	gen_context(system_u:object_r:qemu_exec_t,s0)
Dan Walsh 86d3f6
+/usr/libexec/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
Dan Walsh e96605
diff -up serefpolicy-3.10.0/policy/modules/system/init.te.systemd serefpolicy-3.10.0/policy/modules/system/init.te
Dan Walsh e96605
diff -up serefpolicy-3.10.0/policy/modules/system/logging.fc.systemd serefpolicy-3.10.0/policy/modules/system/logging.fc
Dan Walsh e96605
--- serefpolicy-3.10.0/policy/modules/system/logging.fc.systemd	2012-01-13 12:21:08.664668666 -0500
Dan Walsh e96605
+++ serefpolicy-3.10.0/policy/modules/system/logging.fc	2012-01-13 12:21:11.123743804 -0500
Dan Walsh 86d3f6
@@ -61,6 +61,7 @@ ifdef(`distro_suse', `
Dan Walsh 86d3f6
 /var/log/spooler[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
Dan Walsh 86d3f6
 /var/log/audit(/.*)?		gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
Dan Walsh 86d3f6
 /var/log/syslog-ng(/.*)? 	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
Dan Walsh 86d3f6
+/var/run/log(/.*)?		gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
Dan Walsh 86d3f6
 
Dan Walsh 86d3f6
 ifndef(`distro_gentoo',`
Dan Walsh 86d3f6
 /var/log/audit\.log	--	gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
Dan Walsh e96605
diff -up serefpolicy-3.10.0/policy/modules/system/logging.te.systemd serefpolicy-3.10.0/policy/modules/system/logging.te
Dan Walsh e96605
--- serefpolicy-3.10.0/policy/modules/system/logging.te.systemd	2012-01-13 12:21:08.665668696 -0500
Dan Walsh e96605
+++ serefpolicy-3.10.0/policy/modules/system/logging.te	2012-01-13 12:21:11.123743804 -0500
Dan Walsh 86d3f6
@@ -386,7 +386,7 @@ optional_policy(`
Dan Walsh 86d3f6
 # chown fsetid for syslog-ng
Dan Walsh 86d3f6
 # sys_admin for the integrated klog of syslog-ng and metalog
Dan Walsh 86d3f6
 # cjp: why net_admin!
Dan Walsh 86d3f6
-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config ipc_lock net_admin sys_admin sys_nice chown fsetid };
Dan Walsh 86d3f6
+allow syslogd_t self:capability { dac_override sys_resource sys_tty_config ipc_lock net_admin sys_admin sys_nice chown fsetid setuid setgid };
Dan Walsh 86d3f6
 dontaudit syslogd_t self:capability sys_tty_config;
Dan Walsh 86d3f6
 allow syslogd_t self:capability2 syslog;
Dan Walsh 86d3f6
 # setpgid for metalog
Dan Walsh e96605
@@ -474,6 +474,7 @@ tunable_policy(`logging_syslogd_can_send
Dan Walsh 86d3f6
 dev_filetrans(syslogd_t, devlog_t, sock_file)
Dan Walsh 86d3f6
 dev_read_sysfs(syslogd_t)
Dan Walsh 86d3f6
 dev_read_rand(syslogd_t)
Dan Walsh 86d3f6
+dev_read_urand(syslogd_t)
Dan Walsh 86d3f6
 # relating to systemd-kmsg-syslogd
Dan Walsh 86d3f6
 dev_write_kmsg(syslogd_t)
Dan Walsh 86d3f6
 
Dan Walsh e96605
@@ -497,6 +498,7 @@ mls_file_write_all_levels(syslogd_t) # N
Dan Walsh 86d3f6
 term_write_console(syslogd_t)
Dan Walsh 86d3f6
 # Allow syslog to a terminal
Dan Walsh 86d3f6
 term_write_unallocated_ttys(syslogd_t)
Dan Walsh 86d3f6
+term_use_generic_ptys(syslogd_t)
Dan Walsh 86d3f6
 
Dan Walsh 86d3f6
 init_stream_connect(syslogd_t)
Dan Walsh 86d3f6
 # for sending messages to logged in users
Dan Walsh e96605
diff -up serefpolicy-3.10.0/policy/modules/system/sysnetwork.te.systemd serefpolicy-3.10.0/policy/modules/system/sysnetwork.te
Dan Walsh e96605
--- serefpolicy-3.10.0/policy/modules/system/sysnetwork.te.systemd	2012-01-13 12:21:08.669668819 -0500
Dan Walsh e96605
+++ serefpolicy-3.10.0/policy/modules/system/sysnetwork.te	2012-01-13 12:21:11.124743834 -0500
Dan Walsh cd25a7
@@ -150,6 +150,8 @@ term_dontaudit_use_all_ptys(dhcpc_t)
Dan Walsh cd25a7
 term_dontaudit_use_unallocated_ttys(dhcpc_t)
Dan Walsh cd25a7
 term_dontaudit_use_generic_ptys(dhcpc_t)
Dan Walsh cd25a7
 
Dan Walsh cd25a7
+auth_use_nsswitch(dhcpc_t)
Dan Walsh cd25a7
+
Dan Walsh cd25a7
 init_rw_utmp(dhcpc_t)
Dan Walsh cd25a7
 init_stream_connect(dhcpc_t)
Dan Walsh cd25a7
 init_stream_send(dhcpc_t)
Dan Walsh cd25a7
@@ -333,6 +335,7 @@ domain_use_interactive_fds(ifconfig_t)
Dan Walsh cd25a7
 
Dan Walsh cd25a7
 read_files_pattern(ifconfig_t, dhcpc_state_t, dhcpc_state_t)
Dan Walsh cd25a7
 
Dan Walsh cd25a7
+files_dontaudit_read_root_files(ifconfig_t)
Dan Walsh cd25a7
 files_read_etc_files(ifconfig_t)
Dan Walsh cd25a7
 files_read_etc_runtime_files(ifconfig_t)
Dan Walsh cd25a7
 files_read_usr_files(ifconfig_t)
Dan Walsh cd25a7
@@ -348,7 +351,7 @@ term_dontaudit_use_all_ptys(ifconfig_t)
Dan Walsh cd25a7
 term_dontaudit_use_ptmx(ifconfig_t)
Dan Walsh cd25a7
 term_dontaudit_use_generic_ptys(ifconfig_t)
Dan Walsh cd25a7
 
Dan Walsh cd25a7
-files_dontaudit_read_root_files(ifconfig_t)
Dan Walsh cd25a7
+auth_use_nsswitch(ifconfig_t)
Dan Walsh cd25a7
 
Dan Walsh cd25a7
 init_use_fds(ifconfig_t)
Dan Walsh cd25a7
 init_use_script_ptys(ifconfig_t)
Dan Walsh cd25a7
@@ -359,7 +362,6 @@ logging_send_syslog_msg(ifconfig_t)
Dan Walsh cd25a7
 
Dan Walsh cd25a7
 miscfiles_read_localization(ifconfig_t)
Dan Walsh cd25a7
 
Dan Walsh cd25a7
-
Dan Walsh cd25a7
 seutil_use_runinit_fds(ifconfig_t)
Dan Walsh cd25a7
 
Dan Walsh cd25a7
 sysnet_dns_name_resolve(ifconfig_t)
Dan Walsh cd25a7
@@ -423,10 +425,6 @@ optional_policy(`
Dan Walsh cd25a7
 ')
Dan Walsh cd25a7
 
Dan Walsh cd25a7
 optional_policy(`
Dan Walsh cd25a7
-	nis_use_ypbind(ifconfig_t)
Dan Walsh cd25a7
-')
Dan Walsh cd25a7
-
Dan Walsh cd25a7
-optional_policy(`
Dan Walsh cd25a7
 	ppp_use_fds(ifconfig_t)
Dan Walsh cd25a7
 ')
Dan Walsh cd25a7
 
Dan Walsh e96605
diff -up serefpolicy-3.10.0/policy/modules/system/systemd.if.systemd serefpolicy-3.10.0/policy/modules/system/systemd.if
Dan Walsh e96605
--- serefpolicy-3.10.0/policy/modules/system/systemd.if.systemd	2012-01-13 12:21:08.669668819 -0500
Dan Walsh e96605
+++ serefpolicy-3.10.0/policy/modules/system/systemd.if	2012-01-13 12:21:11.124743834 -0500
Dan Walsh cd25a7
@@ -51,6 +51,9 @@ interface(`systemd_exec_systemctl',`
Dan Walsh cd25a7
 	init_list_pid_dirs($1)
Dan Walsh cd25a7
 	init_read_state($1)
Dan Walsh cd25a7
 	init_stream_send($1)
Dan Walsh cd25a7
+
Dan Walsh cd25a7
+	systemd_login_list_pid_dirs($1)
Dan Walsh cd25a7
+	systemd_login_read_pid_files($1)
Dan Walsh cd25a7
 ')
Dan Walsh cd25a7
 
Dan Walsh cd25a7
 #######################################
Dan Walsh e96605
diff -up serefpolicy-3.10.0/policy/modules/system/systemd.te.systemd serefpolicy-3.10.0/policy/modules/system/systemd.te
Dan Walsh e96605
--- serefpolicy-3.10.0/policy/modules/system/systemd.te.systemd	2012-01-13 12:21:08.670668850 -0500
Dan Walsh e96605
+++ serefpolicy-3.10.0/policy/modules/system/systemd.te	2012-01-13 12:21:11.124743834 -0500
Dan Walsh 86d3f6
@@ -111,6 +111,7 @@ init_dbus_chat(systemd_logind_t)
Dan Walsh 86d3f6
 init_dbus_chat_script(systemd_logind_t)
Dan Walsh 86d3f6
 init_read_script_state(systemd_logind_t)
Dan Walsh 86d3f6
 init_read_state(systemd_logind_t)
Dan Walsh 86d3f6
+init_rw_stream_sockets(systemd_logind_t)
Dan Walsh 86d3f6
 
Dan Walsh 86d3f6
 logging_send_syslog_msg(systemd_logind_t)
Dan Walsh 86d3f6
 
Dan Walsh e96605
@@ -198,6 +199,8 @@ kernel_read_network_state(systemd_tmpfil
Dan Walsh 86d3f6
 files_delete_kernel_modules(systemd_tmpfiles_t)
Dan Walsh 86d3f6
 
Dan Walsh 86d3f6
 dev_write_kmsg(systemd_tmpfiles_t)
Dan Walsh 86d3f6
+dev_relabel_all_sysfs(systemd_tmpfiles_t)
Dan Walsh 86d3f6
+dev_read_cpu_online(systemd_tmpfiles_t)
Dan Walsh 86d3f6
 
Dan Walsh 86d3f6
 domain_obj_id_change_exemption(systemd_tmpfiles_t)
Dan Walsh 86d3f6
 
Dan Walsh e96605
@@ -322,6 +325,8 @@ fs_getattr_cgroup_files(systemd_notify_t
Dan Walsh 86d3f6
 
Dan Walsh 86d3f6
 auth_use_nsswitch(systemd_notify_t)
Dan Walsh 86d3f6
 
Dan Walsh 86d3f6
+init_rw_stream_sockets(systemd_notify_t)
Dan Walsh 86d3f6
+
Dan Walsh 86d3f6
 miscfiles_read_localization(systemd_notify_t)
Dan Walsh 86d3f6
 
Dan Walsh 86d3f6
 optional_policy(`
Dan Walsh e96605
diff -up serefpolicy-3.10.0/policy/modules/system/udev.te.systemd serefpolicy-3.10.0/policy/modules/system/udev.te
Dan Walsh e96605
--- serefpolicy-3.10.0/policy/modules/system/udev.te.systemd	2012-01-13 12:21:08.670668850 -0500
Dan Walsh e96605
+++ serefpolicy-3.10.0/policy/modules/system/udev.te	2012-01-13 12:21:11.124743834 -0500
Dan Walsh 86d3f6
@@ -333,6 +333,7 @@ optional_policy(`
Dan Walsh 86d3f6
 	kernel_read_xen_state(udev_t)
Dan Walsh 86d3f6
 	xen_manage_log(udev_t)
Dan Walsh 86d3f6
 	xen_read_image_files(udev_t)
Dan Walsh 86d3f6
+	xen_stream_connect_xenstore(udev_t)
Dan Walsh 86d3f6
 ')
Dan Walsh 86d3f6
 
Dan Walsh 86d3f6
 optional_policy(`
Dan Walsh e96605
diff -up serefpolicy-3.10.0/policy/modules/system/xen.fc.systemd serefpolicy-3.10.0/policy/modules/system/xen.fc
Dan Walsh e96605
--- serefpolicy-3.10.0/policy/modules/system/xen.fc.systemd	2012-01-13 12:21:08.673668943 -0500
Dan Walsh e96605
+++ serefpolicy-3.10.0/policy/modules/system/xen.fc	2012-01-13 12:21:11.125743864 -0500
Dan Walsh 86d3f6
@@ -4,7 +4,7 @@
Dan Walsh 86d3f6
 /usr/sbin/evtchnd	--	gen_context(system_u:object_r:evtchnd_exec_t,s0)
Dan Walsh 86d3f6
 /usr/sbin/tapdisk	--	gen_context(system_u:object_r:blktap_exec_t,s0)
Dan Walsh 86d3f6
 
Dan Walsh 86d3f6
-/usr/lib/xen/bin/qemu-dm	-- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
Dan Walsh 86d3f6
+#/usr/lib/xen/bin/qemu-dm	-- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
Dan Walsh 86d3f6
 
Dan Walsh 86d3f6
 ifdef(`distro_debian',`
Dan Walsh 86d3f6
 /usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
Dan Walsh e96605
diff -up serefpolicy-3.10.0/policy/modules/system/xen.te.systemd serefpolicy-3.10.0/policy/modules/system/xen.te
Dan Walsh e96605
--- serefpolicy-3.10.0/policy/modules/system/xen.te.systemd	2012-01-13 12:21:08.673668943 -0500
Dan Walsh e96605
+++ serefpolicy-3.10.0/policy/modules/system/xen.te	2012-01-13 12:21:11.125743864 -0500
Dan Walsh e96605
@@ -167,6 +167,10 @@ files_pid_filetrans(evtchnd_t, evtchnd_v
Dan Walsh 86d3f6
 #
Dan Walsh 86d3f6
 # qemu-dm local policy
Dan Walsh 86d3f6
 #
Dan Walsh 86d3f6
+
Dan Walsh 86d3f6
+# TODO: This part of policy should be removed
Dan Walsh 86d3f6
+#       qemu-dm should run in xend_t domain
Dan Walsh 86d3f6
+
Dan Walsh 86d3f6
 # Do we need to allow execution of qemu-dm?
Dan Walsh 86d3f6
 tunable_policy(`xend_run_qemu',`
Dan Walsh 86d3f6
 	allow qemu_dm_t self:capability sys_resource;
Dan Walsh 86d3f6
@@ -207,6 +211,11 @@ tunable_policy(`xend_run_qemu',`
Dan Walsh 86d3f6
 
Dan Walsh 86d3f6
 allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw };
Dan Walsh 86d3f6
 allow xend_t self:process { signal sigkill };
Dan Walsh 86d3f6
+
Dan Walsh 86d3f6
+# needed by qemu_dm
Dan Walsh 86d3f6
+allow xend_t self:capability sys_resource;
Dan Walsh 86d3f6
+allow xend_t self:process setrlimit;
Dan Walsh 86d3f6
+
Dan Walsh 86d3f6
 dontaudit xend_t self:process ptrace;
Dan Walsh 86d3f6
 # internal communication is often done using fifo and unix sockets.
Dan Walsh 86d3f6
 allow xend_t self:fifo_file rw_fifo_file_perms;
Dan Walsh 86d3f6
@@ -319,7 +328,6 @@ logging_send_syslog_msg(xend_t)
Dan Walsh 86d3f6
 miscfiles_read_localization(xend_t)
Dan Walsh 86d3f6
 miscfiles_read_hwdata(xend_t)
Dan Walsh 86d3f6
 
Dan Walsh 86d3f6
-
Dan Walsh 86d3f6
 sysnet_domtrans_dhcpc(xend_t)
Dan Walsh 86d3f6
 sysnet_signal_dhcpc(xend_t)
Dan Walsh 86d3f6
 sysnet_domtrans_ifconfig(xend_t)