[selinux-policy/f14/master: 3203/3230] rpm: various changes both from fedora and myself. rpm: ntp post install scrript want to restart ntpd

Tue Oct 12 20:16:27 UTC 2010

commit b9df0a97277865984c7e97a977dd7cd7373c7413
Author: Dominick Grift <domg472 at gmail.com>
Date:   Mon Oct 4 20:23:35 2010 +0200

    rpm: various changes both from fedora and myself. rpm: ntp post install scrript want to restart ntpd.
    
    Signed-off-by: Dominick Grift <domg472 at gmail.com>

 policy/modules/admin/rpm.te |   16 ++++++++++++++--
 1 files changed, 14 insertions(+), 2 deletions(-)
---

diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index efc0c37..2b6fd87 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -43,6 +43,7 @@ type rpm_script_exec_t;
 domain_obj_id_change_exemption(rpm_script_t)
 domain_system_change_exemption(rpm_script_t)
 corecmd_shell_entry_type(rpm_script_t)
+corecmd_bin_entry_type(rpm_script_t)
 domain_type(rpm_script_t)
 domain_entry_file(rpm_t, rpm_script_exec_t)
 domain_interactive_fd(rpm_script_t)
@@ -59,8 +60,7 @@ files_tmpfs_file(rpm_script_tmpfs_t)
 # rpm Local policy
 #
 
-allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
-
+allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
 allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
 allow rpm_t self:process { getattr setexec setfscreate setrlimit };
 allow rpm_t self:fd use;
@@ -83,6 +83,7 @@ logging_log_filetrans(rpm_t, rpm_log_t, file)
 manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
 manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
 files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
+can_exec(rpm_t, rpm_tmp_t)
 
 manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
 manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
@@ -90,6 +91,7 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
 manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
 manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
 fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+can_exec(rpm_t, rpm_tmpfs_t)
 
 manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
 manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
@@ -102,6 +104,7 @@ files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
 manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
 files_pid_filetrans(rpm_t, rpm_var_run_t, file)
 
+kernel_read_crypto_sysctls(rpm_t)
 kernel_read_network_state(rpm_t)
 kernel_read_system_state(rpm_t)
 kernel_read_kernel_sysctls(rpm_t)
@@ -241,7 +244,10 @@ allow rpm_script_t rpm_tmp_t:file read_file_perms;
 allow rpm_script_t rpm_script_tmp_t:dir mounton;
 manage_dirs_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
 manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
+manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
+manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
 files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
+can_exec(rpm_script_t, rpm_script_tmp_t)
 
 manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
 manage_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
@@ -249,7 +255,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
 manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
 manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
 fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+can_exec(rpm_script_t, rpm_script_tmpfs_t)
 
+kernel_read_crypto_sysctls(rpm_script_t)
 kernel_read_kernel_sysctls(rpm_script_t)
 kernel_read_system_state(rpm_script_t)
 kernel_read_network_state(rpm_script_t)
@@ -356,6 +364,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	ntp_domtrans(rpm_script_t)
+')
+
+optional_policy(`
 	tzdata_domtrans(rpm_t)
 	tzdata_domtrans(rpm_script_t)
 ')
