From b36c20b2a9878748a948913f21f3829b6e394ea0 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Sep 08 2010 21:27:24 +0000
Subject: Allow sudo domains to manage /var/db/sudo

Allow init_t and initrc_t to dbus chat
Allow pulseaudio to read /usr/share/alsa/alsa.conf

---

diff --git a/policy/modules/admin/sudo.fc b/policy/modules/admin/sudo.fc
index 7bddc02..2b59ed0 100644
--- a/policy/modules/admin/sudo.fc
+++ b/policy/modules/admin/sudo.fc
@@ -1,2 +1,4 @@
 
 /usr/bin/sudo(edit)?	--	gen_context(system_u:object_r:sudo_exec_t,s0)
+
+/var/db/sudo(/.*)?		gen_context(system_u:object_r:sudo_db_t,s0)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index e753ac9..cf1ca30 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -32,6 +32,7 @@ template(`sudo_role_template',`
 
 	gen_require(`
 		type sudo_exec_t;
+		type sudo_db_t;
 		attribute sudodomain;
 	')
 
@@ -47,6 +48,8 @@ template(`sudo_role_template',`
 	ubac_constrained($1_sudo_t)
 	role $2 types $1_sudo_t;
 
+	manage_files_pattern($1_sudo_t, sudo_db_t, sudo_db_t)
+
 	##############################
 	#
 	# Local Policy
@@ -113,6 +116,7 @@ template(`sudo_role_template',`
 
 	term_relabel_all_ttys($1_sudo_t)
 	term_relabel_all_ptys($1_sudo_t)
+	term_getattr_pty_fs($1_sudo_t)
 
 	auth_run_chk_passwd($1_sudo_t, $2)
 	# sudo stores a token in the pam_pid directory
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
index c368bdc..c927b85 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
@@ -7,3 +7,7 @@ attribute sudodomain;
 
 type sudo_exec_t;
 application_executable_file(sudo_exec_t)
+
+type sudo_db_t;
+files_type(sudo_db_t)
+
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
index 88fc6f6..db96581 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -96,6 +96,10 @@ logging_send_syslog_msg(pulseaudio_t)
 miscfiles_read_localization(pulseaudio_t)
 
 optional_policy(`
+	alsa_read_rw_config(pulseaudio_t)
+')
+
+optional_policy(`
 	bluetooth_stream_connect(pulseaudio_t)
 ')
 
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a80b4c7..477612e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -782,6 +782,8 @@ optional_policy(`
 	dbus_read_config(initrc_t)
 	dbus_manage_lib_files(initrc_t)
 
+	init_dbus_chat(initrc_t)
+
 	optional_policy(`
 		consolekit_dbus_chat(initrc_t)
 	')