diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 67620d0..2efe67c 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
-policy_module(corenetwork, 1.11.13)
+policy_module(corenetwork, 1.11.14)
########################################
#
@@ -89,6 +89,7 @@ network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0)
network_port(dbskkd, tcp,1178,s0)
network_port(dcc, udp,6276,s0, udp,6277,s0)
+network_port(dccm, tcp,5679,s0, udp,5679,s0)
network_port(dhcpc, udp,68,s0)
network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
diff --git a/policy/modules/services/hal.fc b/policy/modules/services/hal.fc
index cd17ac5..86999eb 100644
--- a/policy/modules/services/hal.fc
+++ b/policy/modules/services/hal.fc
@@ -5,6 +5,7 @@
/usr/bin/hal-setup-keymap -- gen_context(system_u:object_r:hald_keymap_exec_t,s0)
/usr/libexec/hal-acl-tool -- gen_context(system_u:object_r:hald_acl_exec_t,s0)
+/usr/libexec/hal-dccm -- gen_context(system_u:object_r:hald_dccm_exec_t,s0)
/usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0)
/usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
/usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
diff --git a/policy/modules/services/hal.if b/policy/modules/services/hal.if
index 43c653c..7b7e5c1 100644
--- a/policy/modules/services/hal.if
+++ b/policy/modules/services/hal.if
@@ -51,10 +51,7 @@ interface(`hal_read_state',`
type hald_t;
')
- allow $1 hald_t:dir list_dir_perms;
- read_files_pattern($1, hald_t, hald_t)
- read_lnk_files_pattern($1, hald_t, hald_t)
- dontaudit $1 hald_t:process ptrace;
+ ps_process_pattern($1, hald_t)
')
########################################
@@ -229,6 +226,24 @@ interface(`hal_dbus_chat',`
########################################
##
+## Execute hal mac in the hal mac domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hal_domtrans_mac',`
+ gen_require(`
+ type hald_mac_t, hald_mac_exec_t;
+ ')
+
+ domtrans_pattern($1, hald_mac_exec_t, hald_mac_t)
+')
+
+########################################
+##
## Allow attempts to write the hal
## log files.
##
@@ -268,6 +283,26 @@ interface(`hal_dontaudit_write_log',`
########################################
##
+## Manage hald log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hal_manage_log',`
+ gen_require(`
+ type hald_log_t;
+ ')
+
+ # log files for hald
+ manage_files_pattern($1, hald_log_t, hald_log_t)
+ logging_log_filetrans($1, hald_log_t, file)
+')
+
+########################################
+##
## Read hald tmp files.
##
##
@@ -340,3 +375,41 @@ interface(`hal_rw_pid_files',`
files_search_pids($1)
allow $1 hald_var_run_t:file rw_file_perms;
')
+
+########################################
+##
+## Manage hald PID dirs.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hal_manage_pid_dirs',`
+ gen_require(`
+ type hald_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_dirs_pattern($1, hald_var_run_t, hald_var_run_t)
+')
+
+########################################
+##
+## Manage hald PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`hal_manage_pid_files',`
+ gen_require(`
+ type hald_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
+')
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
index 6d1c9cd..c814b11 100644
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
-policy_module(hal, 1.11.2)
+policy_module(hal, 1.11.3)
########################################
#
@@ -19,6 +19,12 @@ role system_r types hald_acl_t;
type hald_cache_t;
files_pid_file(hald_cache_t)
+type hald_dccm_t;
+type hald_dccm_exec_t;
+domain_type(hald_dccm_t)
+domain_entry_file(hald_dccm_t, hald_dccm_exec_t)
+role system_r types hald_dccm_t;
+
type hald_keymap_t;
type hald_keymap_exec_t;
domain_type(hald_keymap_t)
@@ -141,8 +147,10 @@ files_read_usr_files(hald_t)
# hal is now execing pm-suspend
files_create_boot_flag(hald_t)
files_getattr_all_dirs(hald_t)
+files_getattr_all_files(hald_t)
files_read_kernel_img(hald_t)
files_rw_lock_dirs(hald_t)
+files_read_generic_pids(hald_t)
fs_getattr_all_fs(hald_t)
fs_search_all(hald_t)
@@ -195,6 +203,7 @@ seutil_read_default_contexts(hald_t)
seutil_read_file_contexts(hald_t)
sysnet_read_config(hald_t)
+sysnet_domtrans_dhcpc(hald_t)
userdom_dontaudit_use_unpriv_user_fds(hald_t)
userdom_dontaudit_search_user_home_dirs(hald_t)
@@ -277,6 +286,17 @@ optional_policy(`
')
optional_policy(`
+ ppp_read_rw_config(hald_t)
+')
+
+optional_policy(`
+ policykit_domtrans_auth(hald_t)
+ policykit_domtrans_resolve(hald_t)
+ policykit_read_lib(hald_t)
+ policykit_read_reload(hald_t)
+')
+
+optional_policy(`
rpc_search_nfs_state_data(hald_t)
')
@@ -306,7 +326,7 @@ optional_policy(`
# Hal acl local policy
#
-allow hald_acl_t self:capability { dac_override fowner };
+allow hald_acl_t self:capability { dac_override fowner sys_resource };
allow hald_acl_t self:process { getattr signal };
allow hald_acl_t self:fifo_file rw_fifo_file_perms;
@@ -339,6 +359,8 @@ files_read_etc_files(hald_acl_t)
storage_getattr_removable_dev(hald_acl_t)
storage_setattr_removable_dev(hald_acl_t)
+storage_getattr_fixed_disk_dev(hald_acl_t)
+storage_setattr_fixed_disk_dev(hald_acl_t)
auth_use_nsswitch(hald_acl_t)
@@ -346,12 +368,18 @@ logging_send_syslog_msg(hald_acl_t)
miscfiles_read_localization(hald_acl_t)
+optional_policy(`
+ policykit_domtrans_auth(hald_acl_t)
+ policykit_read_lib(hald_acl_t)
+ policykit_read_reload(hald_acl_t)
+')
+
########################################
#
# Local hald mac policy
#
-allow hald_mac_t self:capability { setgid setuid };
+allow hald_mac_t self:capability { setgid setuid sys_admin };
domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
allow hald_t hald_mac_t:process signal;
@@ -374,6 +402,8 @@ files_read_etc_files(hald_mac_t)
auth_use_nsswitch(hald_mac_t)
+logging_send_syslog_msg(hald_mac_t)
+
miscfiles_read_localization(hald_mac_t)
########################################
@@ -415,6 +445,49 @@ write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t)
dev_rw_input_dev(hald_keymap_t)
+files_read_etc_files(hald_keymap_t)
files_read_usr_files(hald_keymap_t)
miscfiles_read_localization(hald_keymap_t)
+
+########################################
+#
+# Local hald dccm policy
+#
+
+allow hald_dccm_t self:capability { net_bind_service };
+allow hald_dccm_t self:process getsched;
+allow hald_dccm_t self:tcp_socket create_stream_socket_perms;
+allow hald_dccm_t self:udp_socket create_socket_perms;
+allow hald_dccm_t self:netlink_route_socket rw_netlink_socket_perms;
+
+domtrans_pattern(hald_t, hald_dccm_exec_t, hald_dccm_t)
+allow hald_t hald_dccm_t:process signal;
+allow hald_dccm_t hald_t:unix_stream_socket connectto;
+
+manage_dirs_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
+manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
+files_search_var_lib(hald_dccm_t)
+
+write_files_pattern(hald_dccm_t, hald_log_t, hald_log_t)
+
+kernel_search_network_sysctl(hald_dccm_t)
+
+corenet_all_recvfrom_unlabeled(hald_dccm_t)
+corenet_all_recvfrom_netlabel(hald_dccm_t)
+corenet_tcp_sendrecv_generic_if(hald_dccm_t)
+corenet_udp_sendrecv_generic_if(hald_dccm_t)
+corenet_tcp_sendrecv_generic_node(hald_dccm_t)
+corenet_udp_sendrecv_generic_node(hald_dccm_t)
+corenet_tcp_sendrecv_all_ports(hald_dccm_t)
+corenet_udp_sendrecv_all_ports(hald_dccm_t)
+corenet_tcp_bind_generic_node(hald_dccm_t)
+corenet_udp_bind_generic_node(hald_dccm_t)
+corenet_udp_bind_dhcpc_port(hald_dccm_t)
+corenet_tcp_bind_dccm_port(hald_dccm_t)
+
+logging_send_syslog_msg(hald_dccm_t)
+
+files_read_usr_files(hald_dccm_t)
+
+miscfiles_read_localization(hald_dccm_t)