[selinux-policy: 1712/3172] last piece of dan's previous patch
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:32:57 UTC 2010
commit 82e284bb893a629c55b7b386af5ffdd8beede0bb
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Apr 11 13:31:10 2007 +0000
last piece of dan's previous patch
policy/modules/admin/rpm.if | 20 ++++++++++++++++++++
policy/modules/system/libraries.te | 7 +++++++
2 files changed, 27 insertions(+), 0 deletions(-)
---
diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
index 11b8297..57fc54f 100644
--- a/policy/modules/admin/rpm.if
+++ b/policy/modules/admin/rpm.if
@@ -211,6 +211,26 @@ interface(`rpm_use_script_fds',`
########################################
## <summary>
+## Create, read, write, and delete RPM
+## script temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_manage_script_tmp_files',`
+ gen_require(`
+ type rpm_script_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_files_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t)
+')
+
+########################################
+## <summary>
## Read the RPM package database.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 41c7879..5563a38 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -107,3 +107,10 @@ optional_policy(`
# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
apache_dontaudit_search_modules(ldconfig_t)
')
+
+optional_policy(`
+ # When you install a kernel the postinstall builds a initrd image in tmp
+ # and executes ldconfig on it. If you dont allow this kernel installs
+ # blow up.
+ rpm_manage_script_tmp_files(ldconfig_t)
+')
More information about the scm-commits
mailing list