Written by: Martin Orr

Cope with changes in udev 146

udev-acl reads /var/run/ConsoleKit/database directly (presumably to avoid a
dbus dependency), so add consolekit_read_pid_files interface
Note that udev also has a TEST for /var/run/ConsoleKit/database, so udevd
itself needs getattr on consolekit
Maybe the consolekit database should have its own type

A dbus fd is leaked through ConsoleKit to udev-acl, so dontaudit that

Index: policy/modules/system/udev.te
===================================================================
--- policy/modules/system/udev.te.orig
+++ policy/modules/system/udev.te
@@ -217,6 +217,10 @@
 ')
 
 optional_policy(`
+	consolekit_read_pid_files(udev_t)
+')
+
+optional_policy(`
 	consoletype_exec(udev_t)
 ')
 
@@ -226,6 +230,7 @@
 
 optional_policy(`
 	dbus_system_bus_client(udev_t)
+	dbus_dontaudit_use_system_fds(udev_t)
 ')
 
 optional_policy(`
Index: policy/modules/services/dbus.if
===================================================================
--- policy/modules/services/dbus.if.orig
+++ policy/modules/services/dbus.if
@@ -392,6 +392,24 @@
 
 ########################################
 ## <summary>
+##	Allow domain to use file descriptors from system DBUS.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_dontaudit_use_system_fds',`
+	gen_require(`
+		type system_dbusd_t;
+	')
+
+	dontaudit $1 system_dbusd_t:fd use;
+')
+
+########################################
+## <summary>
 ##	Allow unconfined access to the system DBUS.
 ## </summary>
 ## <param name="domain">