diff --git a/policy/modules/services/consolekit.fc b/policy/modules/services/consolekit.fc
index 589f67198..32233abf4 100644
--- a/policy/modules/services/consolekit.fc
+++ b/policy/modules/services/consolekit.fc
@@ -1,5 +1,7 @@
/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
+
/var/run/consolekit\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
-/var/run/ConsoleKit(/.*)? -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
+/var/run/console-kit-daemon\.pid -- gen_context(system_u:object_r:consolekit_var_run_t,s0)
+/var/run/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_var_run_t,s0)
diff --git a/policy/modules/services/consolekit.if b/policy/modules/services/consolekit.if
index f625dcf1c..42c6bd71a 100644
--- a/policy/modules/services/consolekit.if
+++ b/policy/modules/services/consolekit.if
@@ -55,5 +55,43 @@ interface(`consolekit_read_log',`
')
read_files_pattern($1, consolekit_log_t, consolekit_log_t)
+ logging_search_logs($1)
+')
+
+########################################
+##
+## Manage consolekit log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`consolekit_manage_log',`
+ gen_require(`
+ type consolekit_log_t;
+ ')
+
+ manage_files_pattern($1, consolekit_log_t, consolekit_log_t)
files_search_pids($1)
')
+
+########################################
+##
+## Read consolekit PID files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`consolekit_read_pid_files',`
+ gen_require(`
+ type consolekit_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
+')
diff --git a/policy/modules/services/consolekit.te b/policy/modules/services/consolekit.te
index ca6cd03ed..1dee2987d 100644
--- a/policy/modules/services/consolekit.te
+++ b/policy/modules/services/consolekit.te
@@ -1,5 +1,5 @@
-policy_module(consolekit, 1.5.1)
+policy_module(consolekit, 1.5.2)
########################################
#
@@ -21,7 +21,7 @@ files_pid_file(consolekit_var_run_t)
# consolekit local policy
#
-allow consolekit_t self:capability { setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
+allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
allow consolekit_t self:process { getsched signal };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket create_stream_socket_perms;
@@ -59,6 +59,8 @@ mcs_ptrace_all(consolekit_t)
term_use_all_terms(consolekit_t)
auth_use_nsswitch(consolekit_t)
+auth_manage_pam_console_data(consolekit_t)
+auth_write_login_records(consolekit_t)
init_telinit(consolekit_t)
init_rw_utmp(consolekit_t)
@@ -74,13 +76,11 @@ userdom_read_user_tmp_files(consolekit_t)
hal_ptrace(consolekit_t)
tunable_policy(`use_nfs_home_dirs',`
- fs_dontaudit_list_nfs(consolekit_t)
- fs_dontaudit_rw_nfs_files(consolekit_t)
+ fs_read_nfs_files(consolekit_t)
')
tunable_policy(`use_samba_home_dirs',`
- fs_dontaudit_list_cifs(consolekit_t)
- fs_dontaudit_rw_cifs_files(consolekit_t)
+ fs_read_cifs_files(consolekit_t)
')
optional_policy(`
@@ -100,16 +100,28 @@ optional_policy(`
')
optional_policy(`
+ policykit_dbus_chat(consolekit_t)
policykit_domtrans_auth(consolekit_t)
policykit_read_lib(consolekit_t)
policykit_read_reload(consolekit_t)
')
optional_policy(`
+ type consolekit_tmpfs_t;
+ files_tmpfs_file(consolekit_tmpfs_t)
+
xserver_read_xdm_pid(consolekit_t)
xserver_read_user_xauth(consolekit_t)
xserver_non_drawing_client(consolekit_t)
corenet_tcp_connect_xserver_port(consolekit_t)
+ xserver_stream_connect(consolekit_t)
+ xserver_user_x_domain_template(consolekit, consolekit_t, consolekit_tmpfs_t)
+')
+
+optional_policy(`
+ udev_domtrans(consolekit_t)
+ udev_read_db(consolekit_t)
+ udev_signal(consolekit_t)
')
optional_policy(`