Subject: [PATCH] refpolicy: services_hal changes
--text follows this line--
--- nsaserefpolicy/policy/modules/services/hal.fc	2007-11-14 08:17:58.000000000 -0500
+++ serefpolicy-3.4.1/policy/modules/services/hal.fc	2008-05-27 07:34:21.000000000 -0400
@@ -8,6 +8,7 @@
 /usr/libexec/hal-hotplug-map 		--	gen_context(system_u:object_r:hald_exec_t,s0)
 /usr/libexec/hal-system-sonypic	 	--	gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
 /usr/libexec/hald-addon-macbookpro-backlight --	gen_context(system_u:object_r:hald_mac_exec_t,s0)
+/usr/libexec/hald-addon-macbook-backlight --	gen_context(system_u:object_r:hald_mac_exec_t,s0)
 
 /usr/sbin/hald		--			gen_context(system_u:object_r:hald_exec_t,s0)
 
@@ -16,10 +17,13 @@
 /var/lib/hal(/.*)?				gen_context(system_u:object_r:hald_var_lib_t,s0)
 
 /var/log/pm-suspend\.log			gen_context(system_u:object_r:hald_log_t,s0)
+/var/log/pm(/.*)?				gen_context(system_u:object_r:hald_log_t,s0)
 
+/var/run/pm(/.*)?				gen_context(system_u:object_r:hald_var_run_t,s0)
+/var/run/pm-utils(/.*)?				gen_context(system_u:object_r:hald_var_run_t,s0)
+/var/run/hald(/.*)?				gen_context(system_u:object_r:hald_var_run_t,s0)
 /var/run/haldaemon\.pid	--	 		gen_context(system_u:object_r:hald_var_run_t,s0)
-/var/run/vbestate 	--			gen_context(system_u:object_r:hald_var_run_t,s0)
-
+/var/run/vbe.*	 	--			gen_context(system_u:object_r:hald_var_run_t,s0)
 ifdef(`distro_gentoo',`
 /var/lib/cache/hald(/.*)?			gen_context(system_u:object_r:hald_cache_t,s0)
 ')
--- nsaserefpolicy/policy/modules/services/hal.if	2008-05-09 11:59:10.000000000 -0400
+++ serefpolicy-3.4.1/policy/modules/services/hal.if	2008-05-27 07:34:21.000000000 -0400
@@ -195,7 +195,7 @@
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit
 ##	</summary>
 ## </param>
 #
@@ -302,3 +302,42 @@
 	files_search_pids($1)
 	allow $1 hald_var_run_t:file rw_file_perms;
 ')
+
+########################################
+## <summary>
+##	Send a SIGCHLD signal to hal.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`hal_getattr',`
+	gen_require(`
+		type hald_t;
+	')
+
+	allow $1 hald_t:process getattr;
+')
+
+########################################
+## <summary>
+##f	Read hal system state
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`hal_read_state',`
+	gen_require(`
+		type hald_t;
+	')
+	kernel_search_proc($1)
+	allow $1 hald_t:dir list_dir_perms;
+	read_files_pattern($1,hald_t,hald_t)
+	read_lnk_files_pattern($1,hald_t,hald_t)
+	dontaudit $1 hald_t:process ptrace;
+')
--- nsaserefpolicy/policy/modules/services/hal.te	2008-05-09 11:59:10.000000000 -0400
+++ serefpolicy-3.4.1/policy/modules/services/hal.te	2008-05-27 07:45:46.000000000 -0400
@@ -49,6 +49,9 @@
 type hald_var_lib_t;
 files_type(hald_var_lib_t)
 
+typealias hald_log_t alias pmtools_log_t;
+typealias hald_var_run_t alias pmtools_var_run_t;
+
 ########################################
 #
 # Local policy
@@ -57,7 +60,7 @@
 # execute openvt which needs setuid
 allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
 dontaudit hald_t self:capability {sys_ptrace sys_tty_config };
-allow hald_t self:process signal_perms;
+allow hald_t self:process { getattr signal_perms };
 allow hald_t self:fifo_file rw_fifo_file_perms;
 allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow hald_t self:unix_dgram_socket create_socket_perms;
@@ -70,7 +73,7 @@
 manage_files_pattern(hald_t,hald_cache_t,hald_cache_t)
 
 # log files for hald
-allow hald_t hald_log_t:file manage_file_perms;
+manage_files_pattern(hald_t, hald_log_t, hald_log_t)
 logging_log_filetrans(hald_t,hald_log_t,file)
 
 manage_dirs_pattern(hald_t,hald_tmp_t,hald_tmp_t)
@@ -82,8 +85,9 @@
 manage_files_pattern(hald_t,hald_var_lib_t,hald_var_lib_t)
 manage_sock_files_pattern(hald_t,hald_var_lib_t,hald_var_lib_t)
 
+manage_dirs_pattern(hald_t,hald_var_run_t,hald_var_run_t)
 manage_files_pattern(hald_t,hald_var_run_t,hald_var_run_t)
-files_pid_filetrans(hald_t,hald_var_run_t,file)
+files_pid_filetrans(hald_t,hald_var_run_t,{ dir file })
 
 kernel_read_system_state(hald_t)
 kernel_read_network_state(hald_t)
@@ -93,6 +97,7 @@
 kernel_rw_irq_sysctls(hald_t)
 kernel_rw_vm_sysctls(hald_t)
 kernel_write_proc_files(hald_t)
+kernel_setsched(hald_t)
 
 auth_read_pam_console_data(hald_t)
 
@@ -121,6 +126,7 @@
 dev_rw_power_management(hald_t)
 # hal is now execing pm-suspend
 dev_rw_sysfs(hald_t)
+dev_read_video_dev(hald_t)
 
 domain_use_interactive_fds(hald_t)
 domain_read_all_domains_state(hald_t)
@@ -155,6 +161,8 @@
 selinux_compute_relabel_context(hald_t)
 selinux_compute_user_contexts(hald_t)
 
+dev_read_raw_memory(hald_t)
+
 storage_raw_read_removable_device(hald_t)
 storage_raw_write_removable_device(hald_t)
 storage_raw_read_fixed_disk(hald_t)
@@ -172,6 +180,8 @@
 init_rw_utmp(hald_t)
 init_telinit(hald_t)
 
+fstools_getattr_swap_files(hald_t)
+
 libs_use_ld_so(hald_t)
 libs_use_shared_libs(hald_t)
 libs_exec_ld_so(hald_t)
@@ -245,6 +255,10 @@
 ')
 
 optional_policy(`
+	gpm_dontaudit_getattr_gpmctl(hald_t)
+')
+
+optional_policy(`
 	hotplug_read_config(hald_t)
 ')
 
@@ -266,6 +280,15 @@
 ')
 
 optional_policy(`
+	podsleuth_domtrans(hald_t)
+')
+
+optional_policy(`
+	polkit_domtrans_auth(hald_t)
+	polkit_read_lib(hald_t)
+')
+
+optional_policy(`
 	rpc_search_nfs_state_data(hald_t)
 ')
 
@@ -292,7 +315,8 @@
 #
 
 allow hald_acl_t self:capability { dac_override fowner };
-allow hald_acl_t self:fifo_file read_fifo_file_perms;
+allow hald_acl_t self:process { getattr signal };
+allow hald_acl_t self:fifo_file rw_fifo_file_perms;
 
 domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
 allow hald_t hald_acl_t:process signal;
@@ -302,9 +326,14 @@
 manage_files_pattern(hald_acl_t,hald_var_lib_t,hald_var_lib_t)
 files_search_var_lib(hald_acl_t)
 
+manage_dirs_pattern(hald_acl_t,hald_var_run_t,hald_var_run_t)
+manage_files_pattern(hald_acl_t,hald_var_run_t,hald_var_run_t)
+files_pid_filetrans(hald_acl_t,hald_var_run_t,{ dir file })
+
 corecmd_exec_bin(hald_acl_t)
 
 dev_getattr_all_chr_files(hald_acl_t)
+dev_setattr_all_chr_files(hald_acl_t)
 dev_getattr_generic_usb_dev(hald_acl_t)
 dev_getattr_video_dev(hald_acl_t)
 dev_setattr_video_dev(hald_acl_t)
@@ -326,6 +355,11 @@
 
 miscfiles_read_localization(hald_acl_t)
 
+optional_policy(`
+	polkit_domtrans_auth(hald_acl_t)
+	polkit_read_lib(hald_acl_t)
+')
+
 ########################################
 #
 # Local hald mac policy
@@ -339,10 +373,14 @@
 manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t)
 files_search_var_lib(hald_mac_t)
 
+dev_read_raw_memory(hald_mac_t)
 dev_write_raw_memory(hald_mac_t)
+dev_read_sysfs(hald_mac_t)
 
 files_read_usr_files(hald_mac_t)
 
+kernel_read_system_state(hald_mac_t)
+
 libs_use_ld_so(hald_mac_t)
 libs_use_shared_libs(hald_mac_t)
 
@@ -392,3 +430,7 @@
 libs_use_shared_libs(hald_keymap_t)
 
 miscfiles_read_localization(hald_keymap_t)
+
+# This is caused by a bug in hald and PolicyKit.  
+# Should be removed when this is fixed
+cron_read_system_job_lib_files(hald_t)