hal patch from dan.

policy/modules/kernel/corenetwork.te.in

@@ -1,5 +1,5 @@
 
-policy_module(corenetwork, 1.11.13)
+policy_module(corenetwork, 1.11.14)
 
 ########################################
 #
@@ -89,6 +89,7 @@ network_port(cvs, tcp,2401,s0, udp,2401,s0)
 network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0)
 network_port(dbskkd, tcp,1178,s0)
 network_port(dcc, udp,6276,s0, udp,6277,s0)
+network_port(dccm, tcp,5679,s0, udp,5679,s0)
 network_port(dhcpc, udp,68,s0)
 network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
 network_port(dict, tcp,2628,s0)

policy/modules/services/hal.fc

@@ -5,6 +5,7 @@
 /usr/bin/hal-setup-keymap		--	gen_context(system_u:object_r:hald_keymap_exec_t,s0)
 
 /usr/libexec/hal-acl-tool		--	gen_context(system_u:object_r:hald_acl_exec_t,s0)
+/usr/libexec/hal-dccm			--	gen_context(system_u:object_r:hald_dccm_exec_t,s0)
 /usr/libexec/hal-hotplug-map 		--	gen_context(system_u:object_r:hald_exec_t,s0)
 /usr/libexec/hal-system-sonypic	 	--	gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
 /usr/libexec/hald-addon-macbookpro-backlight --	gen_context(system_u:object_r:hald_mac_exec_t,s0)

policy/modules/services/hal.if

@@ -51,10 +51,7 @@ interface(`hal_read_state',`
 		type hald_t;
 	')
 
-	allow $1 hald_t:dir list_dir_perms;
-	read_files_pattern($1, hald_t, hald_t)
-	read_lnk_files_pattern($1, hald_t, hald_t)
-	dontaudit $1 hald_t:process ptrace;
+	ps_process_pattern($1, hald_t)
 ')
 
 ########################################
@@ -227,6 +224,24 @@ interface(`hal_dbus_chat',`
 	allow hald_t $1:dbus send_msg;
 ')
 
+########################################
+## <summary>
+##	Execute hal mac in the hal mac domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_domtrans_mac',`
+	gen_require(`
+		type hald_mac_t, hald_mac_exec_t;
+	')
+
+	domtrans_pattern($1, hald_mac_exec_t, hald_mac_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow attempts to write the hal
@@ -266,6 +281,26 @@ interface(`hal_dontaudit_write_log',`
 	dontaudit $1 hald_log_t:file { append write };
 ')
 
+########################################
+## <summary>
+##	Manage hald log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_manage_log',`
+	gen_require(`
+		type hald_log_t;
+	')
+
+	# log files for hald
+	manage_files_pattern($1, hald_log_t, hald_log_t)
+	logging_log_filetrans($1, hald_log_t, file)
+')
+
 ########################################
 ## <summary>
 ##	Read hald tmp files.
@@ -340,3 +375,41 @@ interface(`hal_rw_pid_files',`
 	files_search_pids($1)
 	allow $1 hald_var_run_t:file rw_file_perms;
 ')
+
+########################################
+## <summary>
+##	Manage hald PID dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_manage_pid_dirs',`
+	gen_require(`
+		type hald_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_dirs_pattern($1, hald_var_run_t, hald_var_run_t)
+')
+
+########################################
+## <summary>
+##	Manage hald PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_manage_pid_files',`
+	gen_require(`
+		type hald_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
+')

policy/modules/services/hal.te

@@ -1,5 +1,5 @@
 
-policy_module(hal, 1.11.2)
+policy_module(hal, 1.11.3)
 
 ########################################
 #
@@ -19,6 +19,12 @@ role system_r types hald_acl_t;
 type hald_cache_t;
 files_pid_file(hald_cache_t)
 
+type hald_dccm_t;
+type hald_dccm_exec_t;
+domain_type(hald_dccm_t)
+domain_entry_file(hald_dccm_t, hald_dccm_exec_t)
+role system_r types hald_dccm_t;
+
 type hald_keymap_t;
 type hald_keymap_exec_t;
 domain_type(hald_keymap_t)
@@ -141,8 +147,10 @@ files_read_usr_files(hald_t)
 # hal is now execing pm-suspend
 files_create_boot_flag(hald_t)
 files_getattr_all_dirs(hald_t)
+files_getattr_all_files(hald_t)
 files_read_kernel_img(hald_t)
 files_rw_lock_dirs(hald_t)
+files_read_generic_pids(hald_t)
 
 fs_getattr_all_fs(hald_t)
 fs_search_all(hald_t)
@@ -195,6 +203,7 @@ seutil_read_default_contexts(hald_t)
 seutil_read_file_contexts(hald_t)
 
 sysnet_read_config(hald_t)
+sysnet_domtrans_dhcpc(hald_t)
 
 userdom_dontaudit_use_unpriv_user_fds(hald_t)
 userdom_dontaudit_search_user_home_dirs(hald_t)
@@ -276,6 +285,17 @@ optional_policy(`
 	podsleuth_domtrans(hald_t)
 ')
 
+optional_policy(`
+	ppp_read_rw_config(hald_t)
+')
+
+optional_policy(`
+	policykit_domtrans_auth(hald_t)
+	policykit_domtrans_resolve(hald_t)
+	policykit_read_lib(hald_t)
+	policykit_read_reload(hald_t)
+')
+
 optional_policy(`
 	rpc_search_nfs_state_data(hald_t)
 ')
@@ -306,7 +326,7 @@ optional_policy(`
 # Hal acl local policy
 #
 
-allow hald_acl_t self:capability { dac_override fowner };
+allow hald_acl_t self:capability { dac_override fowner sys_resource };
 allow hald_acl_t self:process { getattr signal };
 allow hald_acl_t self:fifo_file rw_fifo_file_perms;
 
@@ -339,6 +359,8 @@ files_read_etc_files(hald_acl_t)
 
 storage_getattr_removable_dev(hald_acl_t)
 storage_setattr_removable_dev(hald_acl_t)
+storage_getattr_fixed_disk_dev(hald_acl_t)
+storage_setattr_fixed_disk_dev(hald_acl_t)
 
 auth_use_nsswitch(hald_acl_t)
 
@@ -346,12 +368,18 @@ logging_send_syslog_msg(hald_acl_t)
 
 miscfiles_read_localization(hald_acl_t)
 
+optional_policy(`
+	policykit_domtrans_auth(hald_acl_t)
+	policykit_read_lib(hald_acl_t)
+	policykit_read_reload(hald_acl_t)
+')
+
 ########################################
 #
 # Local hald mac policy
 #
 
-allow hald_mac_t self:capability { setgid setuid };
+allow hald_mac_t self:capability { setgid setuid sys_admin };
 
 domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
 allow hald_t hald_mac_t:process signal;
@@ -374,6 +402,8 @@ files_read_etc_files(hald_mac_t)
 
 auth_use_nsswitch(hald_mac_t)
 
+logging_send_syslog_msg(hald_mac_t)
+
 miscfiles_read_localization(hald_mac_t)
 
 ########################################
@@ -415,6 +445,49 @@ write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t)
 
 dev_rw_input_dev(hald_keymap_t)
 
+files_read_etc_files(hald_keymap_t)
 files_read_usr_files(hald_keymap_t)
 
 miscfiles_read_localization(hald_keymap_t)
+
+########################################
+#
+# Local hald dccm policy
+#
+
+allow hald_dccm_t self:capability { net_bind_service };
+allow hald_dccm_t self:process getsched;
+allow hald_dccm_t self:tcp_socket create_stream_socket_perms;
+allow hald_dccm_t self:udp_socket create_socket_perms;
+allow hald_dccm_t self:netlink_route_socket rw_netlink_socket_perms;
+
+domtrans_pattern(hald_t, hald_dccm_exec_t, hald_dccm_t)
+allow hald_t hald_dccm_t:process signal;
+allow hald_dccm_t hald_t:unix_stream_socket connectto;
+
+manage_dirs_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
+manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
+files_search_var_lib(hald_dccm_t)
+
+write_files_pattern(hald_dccm_t, hald_log_t, hald_log_t)
+
+kernel_search_network_sysctl(hald_dccm_t)
+
+corenet_all_recvfrom_unlabeled(hald_dccm_t)
+corenet_all_recvfrom_netlabel(hald_dccm_t)
+corenet_tcp_sendrecv_generic_if(hald_dccm_t)
+corenet_udp_sendrecv_generic_if(hald_dccm_t)
+corenet_tcp_sendrecv_generic_node(hald_dccm_t)
+corenet_udp_sendrecv_generic_node(hald_dccm_t)
+corenet_tcp_sendrecv_all_ports(hald_dccm_t)
+corenet_udp_sendrecv_all_ports(hald_dccm_t)
+corenet_tcp_bind_generic_node(hald_dccm_t)
+corenet_udp_bind_generic_node(hald_dccm_t)
+corenet_udp_bind_dhcpc_port(hald_dccm_t)
+corenet_tcp_bind_dccm_port(hald_dccm_t)
+
+logging_send_syslog_msg(hald_dccm_t)
+
+files_read_usr_files(hald_dccm_t)
+
+miscfiles_read_localization(hald_dccm_t)