Written by: Martin Orr

Allow upower/KDE on Debian

Label pm-utils scripts as hald_exec_t: this is not really right,
but it is the domain they ran in before, so this avoids lots of new rules
/usr/sbin/pm-powersave
/usr/lib/pm-utils/bin/pm-action

Index: policy/modules/services/devicekit.te
===================================================================
--- policy/modules/services/devicekit.te.orig
+++ policy/modules/services/devicekit.te
@@ -115,6 +115,7 @@
 
 fs_list_inotifyfs(devicekit_disk_t)
 fs_manage_fusefs_dirs(devicekit_disk_t)
+fs_getattr_xattr_fs(devicekit_disk_t)
 fs_mount_all_fs(devicekit_disk_t)
 fs_unmount_all_fs(devicekit_disk_t)
 fs_search_all(devicekit_disk_t)
@@ -220,6 +221,7 @@
 files_read_usr_files(devicekit_power_t)
 
 fs_list_inotifyfs(devicekit_power_t)
+fs_getattr_xattr_fs(devicekit_power_t)
 
 term_use_all_terms(devicekit_power_t)
 
@@ -263,6 +265,7 @@
 ')
 
 optional_policy(`
+	hal_domtrans(devicekit_power_t)
 	hal_domtrans_mac(devicekit_power_t)
 	hal_manage_log(devicekit_power_t)
 	hal_manage_pid_dirs(devicekit_power_t)
Index: policy/modules/services/hal.fc
===================================================================
--- policy/modules/services/hal.fc.orig
+++ policy/modules/services/hal.fc
@@ -4,6 +4,8 @@
 
 /usr/bin/hal-setup-keymap		--	gen_context(system_u:object_r:hald_keymap_exec_t,s0)
 
+/usr/lib/pm-utils/bin/pm-action		--	gen_context(system_u:object_r:hald_exec_t,s0)
+
 /usr/libexec/hal-acl-tool		--	gen_context(system_u:object_r:hald_acl_exec_t,s0)
 /usr/libexec/hal-dccm			--	gen_context(system_u:object_r:hald_dccm_exec_t,s0)
 /usr/libexec/hal-hotplug-map 		--	gen_context(system_u:object_r:hald_exec_t,s0)
@@ -13,6 +15,7 @@
 /usr/sbin/radeontool			--	gen_context(system_u:object_r:hald_mac_exec_t,s0)
 
 /usr/sbin/hald		--			gen_context(system_u:object_r:hald_exec_t,s0)
+/usr/sbin/pm-powersave	--			gen_context(system_u:object_r:hald_exec_t,s0)
 
 /var/cache/hald(/.*)?				gen_context(system_u:object_r:hald_cache_t,s0)
 
Index: policy/modules/system/unconfined.te
===================================================================
--- policy/modules/system/unconfined.te.orig
+++ policy/modules/system/unconfined.te
@@ -108,6 +108,11 @@
 	')
 
 	optional_policy(`
+		devicekit_dbus_chat_disk(unconfined_t)
+		devicekit_dbus_chat_power(unconfined_t)
+	')
+
+	optional_policy(`
 		hal_dbus_chat(unconfined_t)
 	')
 
Index: policy/modules/system/userdomain.if
===================================================================
--- policy/modules/system/userdomain.if.orig
+++ policy/modules/system/userdomain.if
@@ -624,6 +624,11 @@
 		')
 
 		optional_policy(`
+			devicekit_dbus_chat_disk($1_t)
+			devicekit_dbus_chat_power($1_t)
+		')
+
+		optional_policy(`
 			hal_dbus_chat($1_t)
 		')
 
Index: policy/modules/services/devicekit.if
===================================================================
--- policy/modules/services/devicekit.if.orig
+++ policy/modules/services/devicekit.if
@@ -120,6 +120,24 @@
 
 ########################################
 ## <summary>
+##	Allow domain to use file descriptors from devicekit power.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`devicekit_use_power_fds',`
+	gen_require(`
+		type devicekit_power_t;
+	')
+
+	allow $1 devicekit_power_t:fd use;
+')
+
+########################################
+## <summary>
 ##	Read devicekit PID files.
 ## </summary>
 ## <param name="domain">