From: guido@trentalancia.com (Guido Trentalancia)
Date: Wed, 19 Jan 2011 01:40:30 +0100
Subject: [refpolicy] RFC: patch to update git reference policy
Message-ID: <1295397630.3377.10.camel@tesla.lan>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello,

I have created a set of two patches to update the git reference policy
to run on a generic modern Linux system.

Most changes are relative to the dbus system (send_msg capability). Some
interfaces and a few file contexts have also been added for convenience.
In particular /sbin/upstart is now labelled correctly (many
distributions nowadays link /sbin/init to /sbin/upstart to leave some
choice, so it is necessary to label the latter appropriately).

Please send your comments and feel free to test intensively. Thanks.

Regards,

Guido

diff -pruN refpolicy-git-18012011/policy/modules/services/dbus.fc refpolicy-git-18012011-new/policy/modules/services/dbus.fc
--- refpolicy-git-18012011/policy/modules/services/dbus.fc	2011-01-08 19:07:21.238740722 +0100
+++ refpolicy-git-18012011-new/policy/modules/services/dbus.fc	2011-01-17 20:53:01.132703217 +0100
@@ -1,11 +1,24 @@
 /etc/dbus-1(/.*)?		gen_context(system_u:object_r:dbusd_etc_t,s0)
 
 /bin/dbus-daemon 	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
+/bin/dbus-cleanup-sockets	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
+/bin/dbus-launch	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
+/bin/dbus-monitor	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
+/bin/dbus-send		--	gen_context(system_u:object_r:dbusd_exec_t,s0)
+/bin/dbus-uuidgen	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
+/bin/dbus-binding-tool	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
 
 /lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
 /lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
 
 /usr/bin/dbus-daemon(-1)? --	gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-cleanup-sockets	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-launch	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-monitor	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-send	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-uuidgen	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-binding-tool	--	gen_context(system_u:object_r:dbusd_exec_t,s0)
+
 /usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
 
 /var/lib/dbus(/.*)?		gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
diff -pruN refpolicy-git-18012011/policy/modules/system/init.fc refpolicy-git-18012011-new/policy/modules/system/init.fc
--- refpolicy-git-18012011/policy/modules/system/init.fc	2011-01-08 19:07:21.350758412 +0100
+++ refpolicy-git-18012011-new/policy/modules/system/init.fc	2011-01-17 20:35:02.785918606 +0100
@@ -34,6 +34,8 @@ ifdef(`distro_gentoo', `
 # /sbin
 #
 /sbin/init(ng)?		--	gen_context(system_u:object_r:init_exec_t,s0)
+# because nowadays, /sbin/init is often a symlink to /sbin/upstart
+/sbin/upstart		--	gen_context(system_u:object_r:init_exec_t,s0)
 
 ifdef(`distro_gentoo', `
 /sbin/rc		--	gen_context(system_u:object_r:initrc_exec_t,s0)
diff -pruN -x .git refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-minimum-update/policy/modules/admin/readahead.te
--- refpolicy-git-18012011/policy/modules/admin/readahead.te	2011-01-08 19:07:21.165729194 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/admin/readahead.te	2011-01-18 23:13:49.754846681 +0100
@@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
 
 auth_dontaudit_read_shadow(readahead_t)
 
+init_read_fifo_file(readahead_t)
 init_use_fds(readahead_t)
 init_use_script_ptys(readahead_t)
 init_getattr_initctl(readahead_t)
diff -pruN -x .git refpolicy-git-18012011/policy/modules/kernel/corecommands.if refpolicy-git-18012011-minimum-update/policy/modules/kernel/corecommands.if
--- refpolicy-git-18012011/policy/modules/kernel/corecommands.if	2011-01-08 19:07:21.197734248 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/kernel/corecommands.if	2011-01-18 23:13:49.755846822 +0100
@@ -808,6 +808,27 @@ interface(`corecmd_check_exec_shell',`
 
 ########################################
 ## <summary>
+##      Allow mmap_file_perms on a shell
+##      executable.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`corecmd_mmap_file_exec_shell',`
+        gen_require(`
+                type bin_t, shell_exec_t;
+        ')
+
+        list_dirs_pattern($1, bin_t, bin_t)
+        read_lnk_files_pattern($1, bin_t, bin_t)
+        allow $1 shell_exec_t:file mmap_file_perms;
+')
+
+########################################
+## <summary>
 ##	Execute shells in the caller domain.
 ## </summary>
 ## <desc>
diff -pruN -x .git refpolicy-git-18012011/policy/modules/kernel/files.if refpolicy-git-18012011-minimum-update/policy/modules/kernel/files.if
--- refpolicy-git-18012011/policy/modules/kernel/files.if	2011-01-08 19:07:21.203735196 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/kernel/files.if	2011-01-18 23:13:49.759847386 +0100
@@ -4131,6 +4131,126 @@ interface(`files_purge_tmp',`
 
 ########################################
 ## <summary>
+##      Set the attributes of the /bin directory.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`files_setattr_bin_dirs',`
+	gen_require(`
+		type bin_t;
+	')
+
+	allow $1 bin_t:dir setattr;
+')
+
+########################################
+## <summary>
+##      Search the content of /bin.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`files_search_bin',`
+	gen_require(`
+		type bin_t;
+	')
+
+	allow $1 bin_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##      Get the attributes of files in /bin.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`files_getattr_bin_files',`
+        gen_require(`
+                type bin_t;
+        ')
+
+        getattr_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+##      Read generic files in /bin.
+## </summary>
+## <desc>
+##      <p>
+##      Allow the specified domain to read generic
+##      files in /bin. These files are various program
+##      files that do not have more specific SELinux types.
+##      </p>
+## </desc>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`files_read_bin_files',`
+	gen_require(`
+		type bin_t;
+	')
+
+	allow $1 bin_t:dir list_dir_perms;
+	read_files_pattern($1, bin_t, bin_t)
+	read_lnk_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+##      Execute generic programs in /bin in the caller domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`files_exec_bin_files',`
+	gen_require(`
+		type bin_t;
+	')
+
+	allow $1 bin_t:dir list_dir_perms;
+	exec_files_pattern($1, bin_t, bin_t)
+	read_lnk_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+##      Read symbolic links in /bin.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`files_read_bin_symlinks',`
+	gen_require(`
+		type bin_t;
+	')
+
+	read_lnk_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
 ##	Set the attributes of the /usr directory.
 ## </summary>
 ## <param name="domain">
@@ -4149,7 +4269,7 @@ interface(`files_setattr_usr_dirs',`
 
 ########################################
 ## <summary>
-##	Search the content of /etc.
+##	Search the content of /usr.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -5070,6 +5190,196 @@ interface(`files_manage_mounttab',`
 ')
 
 ########################################
+## <summary>
+##      Get the attributes of the /var/log directory.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`files_getattr_var_log_dirs',`
+	gen_require(`
+		type var_t, var_log_t;
+	')
+
+	getattr_dirs_pattern($1, var_t, var_log_t)
+')
+
+########################################
+## <summary>
+##      Search the /var/log directory.
+## </summary>
+## <desc>
+##      <p>
+##      Search the /var/log directory.  This is
+##      necessary to access files or directories under
+##      /var/log that have a private type.  For example, a
+##      domain accessing a private log file in the
+##      /var/log directory:
+##      </p>
+##      <p>
+##      allow mydomain_t mylogfile_t:file read_file_perms;
+##      files_search_var_log(mydomain_t)
+##      </p>
+## </desc>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <infoflow type="read" weight="5"/>
+#
+interface(`files_search_var_log',`
+	gen_require(`
+		type var_t, var_log_t;
+	')
+
+	search_dirs_pattern($1, var_t, var_log_t)
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to search the
+##      contents of /var/log.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+## <infoflow type="read" weight="5"/>
+#
+interface(`files_dontaudit_search_var_log',`
+	gen_require(`
+		type var_log_t;
+	')
+
+	dontaudit $1 var_log_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##      List the contents of the /var/log directory.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`files_list_var_log',`
+	gen_require(`
+		type var_t, var_log_t;
+	')
+
+	list_dirs_pattern($1, var_t, var_log_t)
+')
+
+###########################################
+## <summary>
+##      Read-write /var/log directories
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`files_rw_var_log_dirs',`
+	gen_require(`
+		type var_log_t;
+	')
+
+	rw_dirs_pattern($1, var_log_t, var_log_t)
+')
+
+###########################################
+## <summary>
+##      Append to files in the /var/log directories
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`files_var_log_append',`
+	gen_require(`
+		type var_log_t;
+	')
+
+	append_files_pattern($1, var_log_t, var_log_t)
+')
+
+########################################
+## <summary>
+##      Create objects in the /var/log directory
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+## <param name="file_type">
+##      <summary>
+##      The type of the object to be created
+##      </summary>
+## </param>
+## <param name="object_class">
+##      <summary>
+##      The object class.
+##      </summary>
+## </param>
+#
+interface(`files_var_log_filetrans',`
+	gen_require(`
+		type var_t, var_log_t;
+	')
+
+	allow $1 var_t:dir search_dir_perms;
+	filetrans_pattern($1, var_log_t, $2, $3)
+')
+
+########################################
+## <summary>
+##      Read generic files in /var/log.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`files_read_var_log_files',`
+	gen_require(`
+		type var_t, var_log_t;
+	')
+
+	allow $1 var_log_t:dir list_dir_perms;
+	read_files_pattern($1, { var_t var_log_t }, var_log_t)
+')
+
+########################################
+## <summary>
+##      Read generic symbolic links in /var/log
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`files_read_var_log_symlinks',`
+	gen_require(`
+		type var_t, var_log_t;
+	')
+
+	read_lnk_files_pattern($1, { var_t var_log_t }, var_log_t)
+')
+
+########################################
 ## <summary>
 ##	Search the locks directory (/var/lock).
 ## </summary>
diff -pruN -x .git refpolicy-git-18012011/policy/modules/kernel/kernel.if refpolicy-git-18012011-minimum-update/policy/modules/kernel/kernel.if
--- refpolicy-git-18012011/policy/modules/kernel/kernel.if	2011-01-17 19:36:10.808130722 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/kernel/kernel.if	2011-01-18 23:13:49.763847950 +0100
@@ -1406,6 +1406,26 @@ interface(`kernel_dontaudit_list_all_pro
 
 ########################################
 ## <summary>
+##      Allows to search the base
+##      directory of sysctls.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+##
+#
+interface(`kernel_search_sysctl',`
+        gen_require(`
+                type sysctl_t;
+        ')
+
+        allow $1 sysctl_t:dir search;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts by caller to search
 ##	the base directory of sysctls.
 ## </summary>
@@ -1873,6 +1893,24 @@ interface(`kernel_rw_kernel_sysctl',`
 ')
 
 ########################################
+## <summary>
+##      Allow caller to search filesystem sysctls.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`kernel_search_fs_sysctl',`
+	gen_require(`
+		type proc_t, sysctl_t, sysctl_fs_t;
+	')
+
+	search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t)
+')
+
+########################################
 ## <summary>
 ##	Read filesystem sysctls.
 ## </summary>
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/avahi.if refpolicy-git-18012011-minimum-update/policy/modules/services/avahi.if
--- refpolicy-git-18012011/policy/modules/services/avahi.if	2011-01-08 19:07:21.224738512 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/avahi.if	2011-01-18 23:38:58.297498219 +0100
@@ -75,6 +75,25 @@ interface(`avahi_signull',`
 
 ########################################
 ## <summary>
+##      Send a dbus message to avahi.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`avahi_dbus_send',`
+	gen_require(`
+		type avahi_t;
+		class dbus send_msg;
+	')
+
+	allow $1 avahi_t:dbus send_msg;
+')
+
+########################################
+## <summary>
 ##	Send and receive messages from
 ##	avahi over dbus.
 ## </summary>
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/avahi.te refpolicy-git-18012011-minimum-update/policy/modules/services/avahi.te
--- refpolicy-git-18012011/policy/modules/services/avahi.te	2011-01-08 19:07:21.224738512 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/avahi.te	2011-01-19 01:20:50.132124585 +0100
@@ -104,9 +104,17 @@ optional_policy(`
 ')
 
 optional_policy(`
+	ntp_dbus_send(avahi_t)
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(avahi_t)
 ')
 
 optional_policy(`
 	udev_read_db(avahi_t)
 ')
+
+optional_policy(`
+	xserver_xdm_dbus_send(avahi_t)
+')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/consolekit.if refpolicy-git-18012011-minimum-update/policy/modules/services/consolekit.if
--- refpolicy-git-18012011/policy/modules/services/consolekit.if	2011-01-08 19:07:21.232739776 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/consolekit.if	2011-01-18 23:13:49.767848514 +0100
@@ -20,6 +20,26 @@ interface(`consolekit_domtrans',`
 
 ########################################
 ## <summary>
+##      Send a dbus message to
+##      consolekit.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`consolekit_dbus_send',`
+        gen_require(`
+                type consolekit_t;
+                class dbus send_msg;
+        ')
+
+        allow $1 consolekit_t:dbus send_msg;
+')
+
+########################################
+## <summary>
 ##	Send and receive messages from
 ##	consolekit over dbus.
 ## </summary>
@@ -93,5 +113,6 @@ interface(`consolekit_read_pid_files',`
 	')
 
 	files_search_pids($1)
+	allow $1 consolekit_var_run_t:dir list_dir_perms;
 	read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
 ')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/dbus.te refpolicy-git-18012011-minimum-update/policy/modules/services/dbus.te
--- refpolicy-git-18012011/policy/modules/services/dbus.te	2011-01-08 19:07:21.238740722 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/dbus.te	2011-01-18 23:13:49.790851763 +0100
@@ -52,7 +52,7 @@ ifdef(`enable_mls',`
 
 # dac_override: /var/run/dbus is owned by messagebus on Debian
 # cjp: dac_override should probably go in a distro_debian
-allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
+allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_ptrace };
 dontaudit system_dbusd_t self:capability sys_tty_config;
 allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
 allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
@@ -115,9 +115,14 @@ corecmd_read_bin_sockets(system_dbusd_t)
 domain_use_interactive_fds(system_dbusd_t)
 domain_read_all_domains_state(system_dbusd_t)
 
+files_search_default(system_dbusd_t)
+files_read_default_files(system_dbusd_t)
 files_read_etc_files(system_dbusd_t)
 files_list_home(system_dbusd_t)
-files_read_usr_files(system_dbusd_t)
+files_exec_bin_files(system_dbusd_t)
+files_exec_usr_files(system_dbusd_t)
+files_read_var_lib_files(system_dbusd_t)
+files_var_log_append(system_dbusd_t)
 
 init_use_fds(system_dbusd_t)
 init_use_script_ptys(system_dbusd_t)
@@ -141,6 +146,24 @@ optional_policy(`
 ')
 
 optional_policy(`
+	consolekit_read_pid_files(system_dbusd_t)
+	consolekit_dbus_send(system_dbusd_t)
+')
+
+optional_policy(`
+	devicekit_dbus_send_disk(system_dbusd_t)
+	devicekit_dbus_send_power(system_dbusd_t)
+')
+
+optional_policy(`
+	networkmanager_dbus_send(system_dbusd_t)
+')
+
+optional_policy(`
+	ntp_dbus_chat(system_dbusd_t)
+')
+
+optional_policy(`
 	policykit_dbus_chat(system_dbusd_t)
 	policykit_domtrans_auth(system_dbusd_t)
 	policykit_search_lib(system_dbusd_t)
@@ -154,6 +177,10 @@ optional_policy(`
 	udev_read_db(system_dbusd_t)
 ')
 
+optional_policy(`
+	xserver_xdm_dbus_chat(system_dbusd_t)
+')
+
 ########################################
 #
 # Unconfined access to this module
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/devicekit.if refpolicy-git-18012011-minimum-update/policy/modules/services/devicekit.if
--- refpolicy-git-18012011/policy/modules/services/devicekit.if	2011-01-08 19:07:21.240741038 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/devicekit.if	2011-01-18 23:13:49.791851900 +0100
@@ -39,6 +39,25 @@ interface(`devicekit_dgram_send',`
 
 ########################################
 ## <summary>
+##      Send a dbus message to devicekit.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`devicekit_dbus_send',`
+	gen_require(`
+		type devicekit_t;
+		class dbus send_msg;
+	')
+
+	allow $1 devicekit_t:dbus send_msg;
+')
+
+########################################
+## <summary>
 ##	Send and receive messages from
 ##	devicekit over dbus.
 ## </summary>
@@ -60,6 +79,25 @@ interface(`devicekit_dbus_chat',`
 
 ########################################
 ## <summary>
+##      Send a dbus message to devicekit disk.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`devicekit_dbus_send_disk',`
+        gen_require(`
+		type devicekit_disk_t;
+		class dbus send_msg;
+	')
+
+	allow $1 devicekit_disk_t:dbus send_msg;
+')
+
+########################################
+## <summary>
 ##	Send and receive messages from
 ##	devicekit disk over dbus.
 ## </summary>
@@ -99,6 +137,25 @@ interface(`devicekit_signal_power',`
 
 ########################################
 ## <summary>
+##      Send a dbus message to devicekit power.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`devicekit_dbus_send_power',`
+	gen_require(`
+		type devicekit_power_t;
+		class dbus send_msg;
+	')
+
+	allow $1 devicekit_power_t:dbus send_msg;
+')
+
+########################################
+## <summary>
 ##	Send and receive messages from
 ##	devicekit power over dbus.
 ## </summary>
@@ -183,3 +240,22 @@ interface(`devicekit_admin',`
 	admin_pattern($1, devicekit_var_run_t)
 	files_search_pids($1)
 ')
+
+########################################
+## <summary>
+##      DeviceKit power getattr on APM
+##      bios character device node files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`devicekit_getattr_apm_bios_files_power',`
+	gen_require(`
+		type apm_bios_t;
+	')
+
+	getattr_chr_files_pattern($1, apm_bios_t, apm_bios_t)
+')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/devicekit.te refpolicy-git-18012011-minimum-update/policy/modules/services/devicekit.te
--- refpolicy-git-18012011/policy/modules/services/devicekit.te	2011-01-08 19:07:21.241741196 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/devicekit.te	2011-01-18 23:13:49.792852039 +0100
@@ -43,6 +43,7 @@ dev_read_sysfs(devicekit_t)
 dev_read_urand(devicekit_t)
 
 files_read_etc_files(devicekit_t)
+files_read_etc_runtime_files(devicekit_t)
 
 miscfiles_read_localization(devicekit_t)
 
@@ -178,6 +179,10 @@ optional_policy(`
 	virt_manage_images(devicekit_disk_t)
 ')
 
+optional_policy(`
+	xserver_xdm_dbus_send(devicekit_disk_t)
+')
+
 ########################################
 #
 # DeviceKit-Power local policy
@@ -193,12 +198,15 @@ manage_dirs_pattern(devicekit_power_t, d
 manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
 files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
 
+kernel_search_fs_sysctl(devicekit_power_t)
+kernel_rw_vm_sysctls(devicekit_power_t)
 kernel_read_network_state(devicekit_power_t)
 kernel_read_system_state(devicekit_power_t)
 kernel_rw_hotplug_sysctls(devicekit_power_t)
 kernel_rw_kernel_sysctl(devicekit_power_t)
 kernel_search_debugfs(devicekit_power_t)
 kernel_write_proc_files(devicekit_power_t)
+kernel_setsched(devicekit_power_t)
 
 corecmd_exec_bin(devicekit_power_t)
 corecmd_exec_shell(devicekit_power_t)
@@ -215,9 +223,11 @@ dev_rw_sysfs(devicekit_power_t)
 
 files_read_kernel_img(devicekit_power_t)
 files_read_etc_files(devicekit_power_t)
+files_rw_etc_runtime_files(devicekit_power_t)
 files_read_usr_files(devicekit_power_t)
 
 fs_list_inotifyfs(devicekit_power_t)
+fs_remount_xattr_fs(devicekit_power_t)
 
 term_use_all_terms(devicekit_power_t)
 
@@ -230,6 +240,11 @@ sysnet_domtrans_ifconfig(devicekit_power
 
 userdom_read_all_users_state(devicekit_power_t)
 
+devicekit_getattr_apm_bios_files_power(devicekit_power_t)
+
+mount_exec_getattr(devicekit_power_t)
+mount_exec(devicekit_power_t)
+
 optional_policy(`
 	bootloader_domtrans(devicekit_power_t)
 ')
@@ -276,9 +291,17 @@ optional_policy(`
 ')
 
 optional_policy(`
+	storage_raw_read_fixed_disk(devicekit_power_t)
+')
+
+optional_policy(`
 	udev_read_db(devicekit_power_t)
 ')
 
 optional_policy(`
 	vbetool_domtrans(devicekit_power_t)
 ')
+
+optional_policy(`
+	xserver_xdm_dbus_send(devicekit_power_t)
+')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/hal.te refpolicy-git-18012011-minimum-update/policy/modules/services/hal.te
--- refpolicy-git-18012011/policy/modules/services/hal.te	2011-01-08 19:07:21.252742934 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/hal.te	2011-01-18 23:13:49.794852319 +0100
@@ -338,6 +338,10 @@ optional_policy(`
 	virt_manage_images(hald_t)
 ')
 
+optional_policy(`
+	xserver_xdm_dbus_send(hald_t)
+')
+
 ########################################
 #
 # Hal acl local policy
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/networkmanager.if refpolicy-git-18012011-minimum-update/policy/modules/services/networkmanager.if
--- refpolicy-git-18012011/policy/modules/services/networkmanager.if	2011-01-08 19:07:21.269745618 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/networkmanager.if	2011-01-18 23:13:49.795852460 +0100
@@ -116,6 +116,25 @@ interface(`networkmanager_initrc_domtran
 
 ########################################
 ## <summary>
+##      Send a dbus message to NetworkManager.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`networkmanager_dbus_send',`
+	gen_require(`
+		type NetworkManager_t;
+		class dbus send_msg;
+	')
+
+	allow $1 NetworkManager_t:dbus send_msg;
+')
+
+########################################
+## <summary>
 ##	Send and receive messages from
 ##	NetworkManager over dbus.
 ## </summary>
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/networkmanager.te refpolicy-git-18012011-minimum-update/policy/modules/services/networkmanager.te
--- refpolicy-git-18012011/policy/modules/services/networkmanager.te	2011-01-08 19:07:21.269745618 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/networkmanager.te	2011-01-18 23:13:49.796852601 +0100
@@ -140,6 +140,7 @@ seutil_read_config(NetworkManager_t)
 sysnet_domtrans_ifconfig(NetworkManager_t)
 sysnet_domtrans_dhcpc(NetworkManager_t)
 sysnet_signal_dhcpc(NetworkManager_t)
+sysnet_read_dhcpc_state(NetworkManager_t)
 sysnet_read_dhcpc_pid(NetworkManager_t)
 sysnet_delete_dhcpc_pid(NetworkManager_t)
 sysnet_search_dhcp_state(NetworkManager_t)
@@ -265,6 +266,10 @@ optional_policy(`
 	vpn_signull(NetworkManager_t)
 ')
 
+optional_policy(`
+	xserver_xdm_dbus_send(NetworkManager_t)
+')
+
 ########################################
 #
 # wpa_cli local policy
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/ntp.if refpolicy-git-18012011-minimum-update/policy/modules/services/ntp.if
--- refpolicy-git-18012011/policy/modules/services/ntp.if	2011-01-08 19:07:21.272746092 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/ntp.if	2011-01-18 23:13:49.798852883 +0100
@@ -163,3 +163,62 @@ interface(`ntp_admin',`
 	files_list_pids($1)
 	admin_pattern($1, ntpd_var_run_t)
 ')
+
+########################################
+## <summary>
+##      Send a dbus message to ntpd.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`ntp_dbus_send',`
+	gen_require(`
+		type ntpd_t;
+		class dbus send_msg;
+	')
+
+	allow $1 ntpd_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+##      Send and receive messages from
+##      ntpd over dbus.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`ntp_dbus_chat',`
+        gen_require(`
+                type ntpd_t;
+                class dbus send_msg;
+        ')
+
+        allow $1 ntpd_t:dbus send_msg;
+        allow ntpd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##      Connect to dbus using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`ntp_dbus_stream_connect',`
+        gen_require(`
+                type system_dbusd_t, system_dbusd_var_run_t;
+        ')
+
+        files_search_pids($1)
+        stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
+')
Binary files refpolicy-git-18012011/policy/modules/services/.ntp.if.swp and refpolicy-git-18012011-minimum-update/policy/modules/services/.ntp.if.swp differ
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/ntp.te refpolicy-git-18012011-minimum-update/policy/modules/services/ntp.te
--- refpolicy-git-18012011/policy/modules/services/ntp.te	2011-01-08 19:07:21.272746092 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/ntp.te	2011-01-18 23:40:27.459838030 +0100
@@ -125,11 +125,19 @@ userdom_dontaudit_use_unpriv_user_fds(nt
 userdom_list_user_home_dirs(ntpd_t)
 
 optional_policy(`
+	avahi_dbus_send(ntpd_t)
+')
+
+optional_policy(`
 	# for cron jobs
 	cron_system_entry(ntpd_t, ntpdate_exec_t)
 ')
 
 optional_policy(`
+	ntp_dbus_stream_connect(ntpd_t)
+')
+
+optional_policy(`
 	gpsd_rw_shm(ntpd_t)
 ')
 
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/plymouthd.te refpolicy-git-18012011-minimum-update/policy/modules/services/plymouthd.te
--- refpolicy-git-18012011/policy/modules/services/plymouthd.te	2011-01-08 19:07:21.280747356 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/plymouthd.te	2011-01-18 23:13:49.800853165 +0100
@@ -29,7 +29,7 @@ files_pid_file(plymouthd_var_run_t)
 
 allow plymouthd_t self:capability { sys_admin sys_tty_config };
 dontaudit plymouthd_t self:capability dac_override;
-allow plymouthd_t self:process signal;
+allow plymouthd_t self:process { signal getsched };
 allow plymouthd_t self:fifo_file rw_fifo_file_perms;
 allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
 
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/setroubleshoot.if refpolicy-git-18012011-minimum-update/policy/modules/services/setroubleshoot.if
--- refpolicy-git-18012011/policy/modules/services/setroubleshoot.if	2011-01-08 19:07:21.304751146 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/setroubleshoot.if	2011-01-18 23:13:49.801853306 +0100
@@ -42,6 +42,26 @@ interface(`setroubleshoot_dontaudit_stre
 
 ########################################
 ## <summary>
+##      Send a dbus message to
+##      setroubleshoot.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`setroubleshoot_dbus_send',`
+        gen_require(`
+                type setroubleshootd_t;
+                class dbus send_msg;
+        ')
+
+        allow $1 setroubleshootd_t:dbus send_msg;
+')
+
+########################################
+## <summary>
 ##	Send and receive messages from
 ##	setroubleshoot over dbus.
 ## </summary>
@@ -84,8 +104,28 @@ interface(`setroubleshoot_dontaudit_dbus
 
 ########################################
 ## <summary>
+##      Send a dbus message to
+##      setroubleshoot fixit.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`setroubleshoot_dbus_send_fixit',`
+        gen_require(`
+                type setroubleshoot_fixit_t;
+                class dbus send_msg;
+        ')
+
+        allow $1 setroubleshoot_fixit_t:dbus send_msg;
+')
+
+########################################
+## <summary>
 ##	Send and receive messages from
-##	setroubleshoot over dbus.
+##	setroubleshoot fixit over dbus.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/setroubleshoot.te refpolicy-git-18012011-minimum-update/policy/modules/services/setroubleshoot.te
--- refpolicy-git-18012011/policy/modules/services/setroubleshoot.te	2011-01-08 19:07:21.305751304 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/setroubleshoot.te	2011-01-18 23:13:49.802853447 +0100
@@ -125,12 +125,24 @@ optional_policy(`
 ')
 
 optional_policy(`
+	locate_read_lib_files(setroubleshootd_t)
+')
+
+optional_policy(`
+	logging_dbus_send_dispatcher(setroubleshootd_t)
+')
+
+optional_policy(`
 	rpm_signull(setroubleshootd_t)
 	rpm_read_db(setroubleshootd_t)
 	rpm_dontaudit_manage_db(setroubleshootd_t)
 	rpm_use_script_fds(setroubleshootd_t)
 ')
 
+optional_policy(`
+	xserver_xdm_dbus_send(setroubleshootd_t)
+')
+
 ########################################
 #
 # setroubleshoot_fixit local policy
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/smartmon.te refpolicy-git-18012011-minimum-update/policy/modules/services/smartmon.te
--- refpolicy-git-18012011/policy/modules/services/smartmon.te	2011-01-08 19:07:21.326754622 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/smartmon.te	2011-01-18 23:13:49.803853588 +0100
@@ -73,6 +73,8 @@ files_read_etc_runtime_files(fsdaemon_t)
 # for config
 files_read_etc_files(fsdaemon_t)
 
+files_read_usr_files(fsdaemon_t)
+
 fs_getattr_all_fs(fsdaemon_t)
 fs_search_auto_mountpoints(fsdaemon_t)
 
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/xserver.if refpolicy-git-18012011-minimum-update/policy/modules/services/xserver.if
--- refpolicy-git-18012011/policy/modules/services/xserver.if	2011-01-08 19:07:21.344757464 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/xserver.if	2011-01-18 23:13:49.804853729 +0100
@@ -1250,3 +1250,43 @@ interface(`xserver_unconfined',`
 	typeattribute $1 x_domain;
 	typeattribute $1 xserver_unconfined_type;
 ')
+
+########################################
+## <summary>
+##      Send a dbus message to xdm. 
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`xserver_xdm_dbus_send',`
+	gen_require(`
+		type xdm_t;
+		class dbus send_msg;
+	')
+
+	allow $1 xdm_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+##      Send and receive messages from
+##      xdm over dbus.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`xserver_xdm_dbus_chat',`
+        gen_require(`
+                type xdm_t;
+                class dbus send_msg;
+        ')
+
+        allow $1 xdm_t:dbus send_msg;
+        allow xdm_t $1:dbus send_msg;
+')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/xserver.te refpolicy-git-18012011-minimum-update/policy/modules/services/xserver.te
--- refpolicy-git-18012011/policy/modules/services/xserver.te	2011-01-08 19:07:21.344757464 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/xserver.te	2011-01-18 23:13:49.806854011 +0100
@@ -508,6 +508,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	avahi_dbus_send(xdm_t)
+')
+
+optional_policy(`
 	consolekit_dbus_chat(xdm_t)
 ')
 
@@ -516,12 +520,21 @@ optional_policy(`
 ')
 
 optional_policy(`
+	devicekit_dbus_send_disk(xdm_t)
+	devicekit_dbus_send_power(xdm_t)
+')
+
+optional_policy(`
 	# Talk to the console mouse server.
 	gpm_stream_connect(xdm_t)
 	gpm_setattr_gpmctl(xdm_t)
 ')
 
 optional_policy(`
+	hal_dbus_send(xdm_t)
+')
+
+optional_policy(`
 	hostname_exec(xdm_t)
 ')
 
@@ -539,10 +552,18 @@ optional_policy(`
 ')
 
 optional_policy(`
+	networkmanager_dbus_send(xdm_t)
+')
+
+optional_policy(`
 	resmgr_stream_connect(xdm_t)
 ')
 
 optional_policy(`
+	setroubleshoot_dbus_send(xdm_t)
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(xdm_t)
 ')
 
diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/authlogin.te refpolicy-git-18012011-minimum-update/policy/modules/system/authlogin.te
--- refpolicy-git-18012011/policy/modules/system/authlogin.te	2011-01-08 19:07:21.347757938 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/system/authlogin.te	2011-01-18 23:13:49.808854293 +0100
@@ -91,6 +91,8 @@ files_list_etc(chkpwd_t)
 # is_selinux_enabled
 kernel_read_system_state(chkpwd_t)
 
+kernel_search_sysctl(chkpwd_t)
+
 domain_dontaudit_use_interactive_fds(chkpwd_t)
 
 dev_read_rand(chkpwd_t)
diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-minimum-update/policy/modules/system/init.if
--- refpolicy-git-18012011/policy/modules/system/init.if	2011-01-08 19:07:21.351758570 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/system/init.if	2011-01-18 23:13:49.809854434 +0100
@@ -947,6 +947,24 @@ interface(`init_read_state',`
 
 ########################################
 ## <summary>
+##      Read init fifo file.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`init_read_fifo_file',`
+	gen_require(`
+		attribute init_t;
+	')
+
+	read_fifo_files_pattern($1, init_t, init_t)
+')
+
+########################################
+## <summary>
 ##	Ptrace init
 ## </summary>
 ## <param name="domain">
diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/logging.if refpolicy-git-18012011-minimum-update/policy/modules/system/logging.if
--- refpolicy-git-18012011/policy/modules/system/logging.if	2011-01-08 19:07:21.355759202 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/system/logging.if	2011-01-18 23:13:49.812854857 +0100
@@ -337,6 +337,47 @@ interface(`logging_stream_connect_dispat
 
 ########################################
 ## <summary>
+##      Send a dbus message to the audit
+##      dispatcher.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`logging_dbus_send_dispatcher',`
+	gen_require(`
+		type audisp_t;
+		class dbus send_msg;
+	')
+
+	allow $1 audisp_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+##      Send and receive messages from
+##      the audit dispatcher over dbus.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`logging_dbus_chat_dispatcher',`
+	gen_require(`
+		type audisp_t;
+		class dbus send_msg;
+	')
+
+	allow $1 audisp_t:dbus send_msg;
+	allow audisp_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
 ##	Manage the auditd configuration files.
 ## </summary>
 ## <param name="domain">
diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/logging.te refpolicy-git-18012011-minimum-update/policy/modules/system/logging.te
--- refpolicy-git-18012011/policy/modules/system/logging.te	2011-01-08 19:07:21.356759360 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/system/logging.te	2011-01-18 23:13:49.813854998 +0100
@@ -223,6 +223,8 @@ allow audisp_t self:unix_dgram_socket cr
 
 allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
 
+allow audisp_t proc_t:file read_file_perms;
+
 manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
 files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
 
@@ -246,6 +248,10 @@ optional_policy(`
 	dbus_system_bus_client(audisp_t)
 ')
 
+optional_policy(`
+	setroubleshoot_dbus_send(audisp_t)
+')
+
 ########################################
 #
 # Audit remote logger local policy
diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/mount.if refpolicy-git-18012011-minimum-update/policy/modules/system/mount.if
--- refpolicy-git-18012011/policy/modules/system/mount.if	2011-01-08 19:07:21.358759676 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/system/mount.if	2011-01-18 23:13:49.814855139 +0100
@@ -51,6 +51,25 @@ interface(`mount_run',`
 
 ########################################
 ## <summary>
+##      Get the attributes of mount
+##      executable files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mount_exec_getattr',`
+	gen_require(`
+		type mount_exec_t;
+	')
+
+	allow $1 mount_exec_t:file getattr;
+')
+
+########################################
+## <summary>
 ##	Execute mount in the caller domain.
 ## </summary>
 ## <param name="domain">
diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/mount.te refpolicy-git-18012011-minimum-update/policy/modules/system/mount.te
--- refpolicy-git-18012011/policy/modules/system/mount.te	2011-01-17 19:36:10.814131755 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/system/mount.te	2011-01-19 01:01:20.531005215 +0100
@@ -51,12 +51,17 @@ kernel_read_kernel_sysctls(mount_t)
 kernel_dontaudit_getattr_core_if(mount_t)
 kernel_dontaudit_write_debugfs_dirs(mount_t)
 kernel_dontaudit_write_proc_dirs(mount_t)
+kernel_setsched(mount_t)
 # To load binfmt_misc kernel module
 kernel_request_load_module(mount_t)
 
 # required for mount.smbfs
 corecmd_exec_bin(mount_t)
 
+# required for mounting nonfs,nfs4,smbfs,ncpfs,cifs,gfs,gfs2
+# from initscripts 
+corecmd_mmap_file_exec_shell(mount_t)
+
 dev_getattr_all_blk_files(mount_t)
 dev_list_all_dev_nodes(mount_t)
 dev_read_sysfs(mount_t)
@@ -108,6 +113,8 @@ storage_raw_read_fixed_disk(mount_t)
 storage_raw_write_fixed_disk(mount_t)
 storage_raw_read_removable_device(mount_t)
 storage_raw_write_removable_device(mount_t)
+# needed for example by ntfs-3g
+storage_rw_fuse(mount_t)
 
 term_use_all_terms(mount_t)
 
diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/sysnetwork.if refpolicy-git-18012011-minimum-update/policy/modules/system/sysnetwork.if
--- refpolicy-git-18012011/policy/modules/system/sysnetwork.if	2011-01-08 19:07:21.362760308 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/system/sysnetwork.if	2011-01-18 23:13:49.817855562 +0100
@@ -215,6 +215,24 @@ interface(`sysnet_rw_dhcp_config',`
 
 ########################################
 ## <summary>
+##      Search dhcp client state directories.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`sysnet_search_dhcpc_state',`
+	gen_require(`
+		type dhcpc_state_t;
+	')
+
+	search_dirs_pattern($1, dhcpc_state_t, dhcpc_state_t)
+')
+
+########################################
+## <summary>
 ##	Read dhcp client state files.
 ## </summary>
 ## <param name="domain">
diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/sysnetwork.te refpolicy-git-18012011-minimum-update/policy/modules/system/sysnetwork.te
--- refpolicy-git-18012011/policy/modules/system/sysnetwork.te	2011-01-08 19:07:21.363760466 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/system/sysnetwork.te	2011-01-18 23:13:49.818855703 +0100
@@ -325,6 +325,7 @@ ifdef(`hide_broken_symptoms',`
 ')
 
 optional_policy(`
+	hal_read_pid_files(ifconfig_t)
 	hal_dontaudit_rw_pipes(ifconfig_t)
 	hal_dontaudit_rw_dgram_sockets(ifconfig_t)
 ')

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5186 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110119/fa7ea8bb/attachment-0001.bin