diff --git a/modules-minimum.conf b/modules-minimum.conf
index 29e28c9..3c06644 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -340,6 +340,13 @@ dcc = module
#
ddcprobe = off
+# Layer: services
+# Module: devicekit
+#
+# devicekit-daemon
+#
+devicekit = module
+
# Layer: kernel
# Module: devices
# Required in base
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 29e28c9..3c06644 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -340,6 +340,13 @@ dcc = module
#
ddcprobe = off
+# Layer: services
+# Module: devicekit
+#
+# devicekit-daemon
+#
+devicekit = module
+
# Layer: kernel
# Module: devices
# Required in base
diff --git a/policy-20090105.patch b/policy-20090105.patch
index 6480d1f..508ddcb 100644
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@@ -8349,7 +8349,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.3/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/apache.te 2009-01-19 17:10:55.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/apache.te 2009-01-19 17:34:22.000000000 -0500
@@ -19,6 +19,8 @@
# Declarations
#
@@ -8444,16 +8444,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -187,15 +233,22 @@
+@@ -187,15 +233,20 @@
files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
+
ubac_constrained(httpd_user_script_t)
-+typeattribute httpd_user_content_t, httpdcontent;
-+typeattribute httpd_user_content_rw_t, httpdcontent;
-+typeattribute httpd_user_content_ra_t, httpdcontent;
-+typeattribute httpd_user_script_exec_t, httpdcontent;
++typeattribute httpd_user_content_t httpdcontent;
++typeattribute httpd_user_content_rw_t httpdcontent;
++typeattribute httpd_user_content_ra_t httpdcontent;
+
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
@@ -8462,7 +8461,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-userdom_user_home_content(httpd_user_script_ro_t)
-userdom_user_home_content(httpd_user_script_rw_t)
+userdom_user_home_content(httpd_user_content_ra_t)
-+userdom_user_home_content(httpd_user_content_ro_t)
+userdom_user_home_content(httpd_user_content_rw_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -8470,7 +8468,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
-@@ -230,7 +283,7 @@
+@@ -230,7 +281,7 @@
# Apache server local policy
#
@@ -8479,7 +8477,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
-@@ -272,6 +325,7 @@
+@@ -272,6 +323,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@@ -8487,7 +8485,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -283,9 +337,9 @@
+@@ -283,9 +335,9 @@
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
@@ -8500,7 +8498,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -301,6 +355,7 @@
+@@ -301,6 +353,7 @@
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
@@ -8508,7 +8506,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file })
-@@ -312,6 +367,7 @@
+@@ -312,6 +365,7 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -8516,7 +8514,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -322,6 +378,7 @@
+@@ -322,6 +376,7 @@
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -8524,7 +8522,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_http_port(httpd_t)
corenet_tcp_bind_http_cache_port(httpd_t)
corenet_sendrecv_http_server_packets(httpd_t)
-@@ -335,12 +392,12 @@
+@@ -335,12 +390,12 @@
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -8540,7 +8538,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_use_interactive_fds(httpd_t)
-@@ -358,6 +415,10 @@
+@@ -358,6 +413,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -8551,7 +8549,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
libs_read_lib_files(httpd_t)
-@@ -372,18 +433,33 @@
+@@ -372,18 +431,33 @@
userdom_use_unpriv_users_fds(httpd_t)
@@ -8589,7 +8587,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -391,20 +467,54 @@
+@@ -391,20 +465,54 @@
corenet_tcp_connect_all_ports(httpd_t)
')
@@ -8645,7 +8643,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -415,20 +525,28 @@
+@@ -415,20 +523,28 @@
corenet_tcp_bind_ftp_port(httpd_t)
')
@@ -8678,7 +8676,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -459,8 +577,13 @@
+@@ -459,8 +575,13 @@
')
optional_policy(`
@@ -8694,7 +8692,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -472,18 +595,13 @@
+@@ -472,18 +593,13 @@
')
optional_policy(`
@@ -8714,7 +8712,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -493,6 +611,12 @@
+@@ -493,6 +609,12 @@
openca_kill(httpd_t)
')
@@ -8727,7 +8725,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
-@@ -500,6 +624,7 @@
+@@ -500,6 +622,7 @@
tunable_policy(`httpd_can_network_connect_db',`
postgresql_tcp_connect(httpd_t)
@@ -8735,7 +8733,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -508,6 +633,7 @@
+@@ -508,6 +631,7 @@
')
optional_policy(`
@@ -8743,7 +8741,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -535,6 +661,22 @@
+@@ -535,6 +659,22 @@
userdom_use_user_terminals(httpd_helper_t)
@@ -8766,7 +8764,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Apache PHP script local policy
-@@ -564,20 +706,25 @@
+@@ -564,20 +704,25 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -8798,7 +8796,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -595,23 +742,24 @@
+@@ -595,23 +740,24 @@
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
@@ -8827,7 +8825,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -624,6 +772,7 @@
+@@ -624,6 +770,7 @@
logging_send_syslog_msg(httpd_suexec_t)
miscfiles_read_localization(httpd_suexec_t)
@@ -8835,20 +8833,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
-@@ -641,12 +790,25 @@
+@@ -641,12 +788,23 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
+read_files_pattern(httpd_suexec_t, httpd_user_script_rw_t, httpd_user_script_rw_t)
-+read_files_pattern(httpd_suexec_t, httpd_user_script_ro_t, httpd_user_script_ro_t)
+read_files_pattern(httpd_suexec_t, httpd_user_script_ra_t, httpd_user_script_ra_t)
+
+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+ domtrans_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_script_t)
-+ domtrans_pattern(httpd_suexec_t, httpd_user_script_ro_t, httpd_user_script_t)
+ domtrans_pattern(httpd_suexec_t, httpd_user_script_ra_t, httpd_user_script_t)
+ domtrans_pattern(httpd_suexec_t, httpd_user_script_rw_t, httpd_user_script_t)
+
@@ -8864,7 +8860,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -655,6 +817,12 @@
+@@ -655,6 +813,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -8877,7 +8873,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -672,15 +840,14 @@
+@@ -672,15 +836,14 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -8896,7 +8892,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
dontaudit httpd_sys_script_t httpd_config_t:dir search;
-@@ -699,12 +866,24 @@
+@@ -699,12 +862,24 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -8923,7 +8919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -712,6 +891,35 @@
+@@ -712,6 +887,35 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -8959,7 +8955,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -724,6 +932,10 @@
+@@ -724,6 +928,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -8970,7 +8966,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
-@@ -735,6 +947,8 @@
+@@ -735,6 +943,8 @@
# httpd_rotatelogs local policy
#
@@ -8979,7 +8975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -754,6 +968,9 @@
+@@ -754,6 +964,9 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -8989,7 +8985,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
# allow accessing files/dirs below the users home dir
-@@ -762,3 +979,66 @@
+@@ -762,3 +975,66 @@
userdom_search_user_home_dirs(httpd_suexec_t)
userdom_search_user_home_dirs(httpd_user_script_t)
')
@@ -11422,7 +11418,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.3/policy/modules/services/devicekit.if
--- nsaserefpolicy/policy/modules/services/devicekit.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/devicekit.if 2009-01-19 17:09:09.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/devicekit.if 2009-01-19 17:17:14.000000000 -0500
@@ -0,0 +1,139 @@
+
+## policy for devicekit
@@ -11521,7 +11517,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+#
+interface(`devicekit_power_dbus_chat',`
+ gen_require(`
-+ type devicekit_t;
++ type devicekit_power_t;
+ class dbus send_msg;
+ ')
+
@@ -20523,14 +20519,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.3/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/squid.te 2009-01-19 15:16:22.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/squid.te 2009-01-19 17:24:18.000000000 -0500
@@ -118,6 +118,9 @@
fs_getattr_all_fs(squid_t)
fs_search_auto_mountpoints(squid_t)
+#squid requires the following when run in diskd mode, the recommended setting
+fs_rw_tmpfs_files(squid_t)
-+fs_list_inotify(squid_t)
++fs_list_inotifyfs(squid_t)
selinux_dontaudit_getattr_dir(squid_t)
@@ -26410,7 +26406,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-19 17:08:20.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-19 17:15:36.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -26979,7 +26975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
- hal_dbus_chat($1_t)
-+ devkit_power_dbus_chat($1_usertype)
++ devicekit_power_dbus_chat($1_usertype)
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index ebd57e1..47c8aaa 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.3
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -445,6 +445,9 @@ exit 0
%endif
%changelog
+* Mon Jan 19 2009 Dan Walsh 3.6.3-2
+- Add devicekit policy
+
* Mon Jan 19 2009 Dan Walsh 3.6.3-1
- Update to upstream