From: domg472@gmail.com (Dominick Grift) Date: Mon, 4 Oct 2010 20:23:35 +0200 Subject: [refpolicy] [ patch 23/44] rpm: various changes both from fedora and myself. rpm: ntp post install scrript want to restart ntpd. In-Reply-To: <1286216636-28449-1-git-send-email-domg472@gmail.com> References: <1286216636-28449-1-git-send-email-domg472@gmail.com> Message-ID: <1286216636-28449-25-git-send-email-domg472@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Signed-off-by: Dominick Grift --- :100644 100644 efc0c37... 2b6fd87... M policy/modules/admin/rpm.te policy/modules/admin/rpm.te | 16 ++++++++++++++-- 1 files changed, 14 insertions(+), 2 deletions(-) diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te index efc0c37..2b6fd87 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -43,6 +43,7 @@ type rpm_script_exec_t; domain_obj_id_change_exemption(rpm_script_t) domain_system_change_exemption(rpm_script_t) corecmd_shell_entry_type(rpm_script_t) +corecmd_bin_entry_type(rpm_script_t) domain_type(rpm_script_t) domain_entry_file(rpm_t, rpm_script_exec_t) domain_interactive_fd(rpm_script_t) @@ -59,8 +60,7 @@ files_tmpfs_file(rpm_script_tmpfs_t) # rpm Local policy # -allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod }; - +allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod }; allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap }; allow rpm_t self:process { getattr setexec setfscreate setrlimit }; allow rpm_t self:fd use; @@ -83,6 +83,7 @@ logging_log_filetrans(rpm_t, rpm_log_t, file) manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t) manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t) files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir }) +can_exec(rpm_t, rpm_tmp_t) manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) @@ -90,6 +91,7 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) +can_exec(rpm_t, rpm_tmpfs_t) manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) @@ -102,6 +104,7 @@ files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir) manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t) files_pid_filetrans(rpm_t, rpm_var_run_t, file) +kernel_read_crypto_sysctls(rpm_t) kernel_read_network_state(rpm_t) kernel_read_system_state(rpm_t) kernel_read_kernel_sysctls(rpm_t) @@ -241,7 +244,10 @@ allow rpm_script_t rpm_tmp_t:file read_file_perms; allow rpm_script_t rpm_script_tmp_t:dir mounton; manage_dirs_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) +manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) +manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir }) +can_exec(rpm_script_t, rpm_script_tmp_t) manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) manage_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) @@ -249,7 +255,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file }) +can_exec(rpm_script_t, rpm_script_tmpfs_t) +kernel_read_crypto_sysctls(rpm_script_t) kernel_read_kernel_sysctls(rpm_script_t) kernel_read_system_state(rpm_script_t) kernel_read_network_state(rpm_script_t) @@ -356,6 +364,10 @@ optional_policy(` ') optional_policy(` + ntp_domtrans(rpm_script_t) +') + +optional_policy(` tzdata_domtrans(rpm_t) tzdata_domtrans(rpm_script_t) ') -- 1.7.2.3