From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 06 Oct 2010 09:04:04 -0400 Subject: [refpolicy] [ patch 23/44] rpm: various changes both from fedora and myself. rpm: ntp post install scrript want to restart ntpd. In-Reply-To: <1286216636-28449-25-git-send-email-domg472@gmail.com> References: <1286216636-28449-1-git-send-email-domg472@gmail.com> <1286216636-28449-25-git-send-email-domg472@gmail.com> Message-ID: <4CAC73C4.5060608@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 10/04/10 14:23, Dominick Grift wrote: > > Signed-off-by: Dominick Grift Merged. > :100644 100644 efc0c37... 2b6fd87... M policy/modules/admin/rpm.te > policy/modules/admin/rpm.te | 16 ++++++++++++++-- > 1 files changed, 14 insertions(+), 2 deletions(-) > > diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te > index efc0c37..2b6fd87 100644 > --- a/policy/modules/admin/rpm.te > +++ b/policy/modules/admin/rpm.te > @@ -43,6 +43,7 @@ type rpm_script_exec_t; > domain_obj_id_change_exemption(rpm_script_t) > domain_system_change_exemption(rpm_script_t) > corecmd_shell_entry_type(rpm_script_t) > +corecmd_bin_entry_type(rpm_script_t) > domain_type(rpm_script_t) > domain_entry_file(rpm_t, rpm_script_exec_t) > domain_interactive_fd(rpm_script_t) > @@ -59,8 +60,7 @@ files_tmpfs_file(rpm_script_tmpfs_t) > # rpm Local policy > # > > -allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod }; > - > +allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod }; > allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap }; > allow rpm_t self:process { getattr setexec setfscreate setrlimit }; > allow rpm_t self:fd use; > @@ -83,6 +83,7 @@ logging_log_filetrans(rpm_t, rpm_log_t, file) > manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t) > manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t) > files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir }) > +can_exec(rpm_t, rpm_tmp_t) > > manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) > manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) > @@ -90,6 +91,7 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) > manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) > manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t) > fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file }) > +can_exec(rpm_t, rpm_tmpfs_t) > > manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) > manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t) > @@ -102,6 +104,7 @@ files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir) > manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t) > files_pid_filetrans(rpm_t, rpm_var_run_t, file) > > +kernel_read_crypto_sysctls(rpm_t) > kernel_read_network_state(rpm_t) > kernel_read_system_state(rpm_t) > kernel_read_kernel_sysctls(rpm_t) > @@ -241,7 +244,10 @@ allow rpm_script_t rpm_tmp_t:file read_file_perms; > allow rpm_script_t rpm_script_tmp_t:dir mounton; > manage_dirs_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) > manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) > +manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) > +manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t) > files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir }) > +can_exec(rpm_script_t, rpm_script_tmp_t) > > manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) > manage_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) > @@ -249,7 +255,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) > manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) > manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) > fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file }) > +can_exec(rpm_script_t, rpm_script_tmpfs_t) > > +kernel_read_crypto_sysctls(rpm_script_t) > kernel_read_kernel_sysctls(rpm_script_t) > kernel_read_system_state(rpm_script_t) > kernel_read_network_state(rpm_script_t) > @@ -356,6 +364,10 @@ optional_policy(` > ') > > optional_policy(` > + ntp_domtrans(rpm_script_t) > +') > + > +optional_policy(` > tzdata_domtrans(rpm_t) > tzdata_domtrans(rpm_script_t) > ') -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com