From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 06 Oct 2010 09:04:04 -0400
Subject: [refpolicy] [ patch 23/44] rpm: various changes both from
 fedora and myself. rpm: ntp post install scrript want to restart ntpd.
In-Reply-To: <1286216636-28449-25-git-send-email-domg472@gmail.com>
References: <1286216636-28449-1-git-send-email-domg472@gmail.com>
	<1286216636-28449-25-git-send-email-domg472@gmail.com>
Message-ID: <4CAC73C4.5060608@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 10/04/10 14:23, Dominick Grift wrote:
>
> Signed-off-by: Dominick Grift<domg472@gmail.com>

Merged.

> :100644 100644 efc0c37... 2b6fd87... M	policy/modules/admin/rpm.te
>   policy/modules/admin/rpm.te |   16 ++++++++++++++--
>   1 files changed, 14 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
> index efc0c37..2b6fd87 100644
> --- a/policy/modules/admin/rpm.te
> +++ b/policy/modules/admin/rpm.te
> @@ -43,6 +43,7 @@ type rpm_script_exec_t;
>   domain_obj_id_change_exemption(rpm_script_t)
>   domain_system_change_exemption(rpm_script_t)
>   corecmd_shell_entry_type(rpm_script_t)
> +corecmd_bin_entry_type(rpm_script_t)
>   domain_type(rpm_script_t)
>   domain_entry_file(rpm_t, rpm_script_exec_t)
>   domain_interactive_fd(rpm_script_t)
> @@ -59,8 +60,7 @@ files_tmpfs_file(rpm_script_tmpfs_t)
>   # rpm Local policy
>   #
>
> -allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
> -
> +allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
>   allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
>   allow rpm_t self:process { getattr setexec setfscreate setrlimit };
>   allow rpm_t self:fd use;
> @@ -83,6 +83,7 @@ logging_log_filetrans(rpm_t, rpm_log_t, file)
>   manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
>   manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
>   files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
> +can_exec(rpm_t, rpm_tmp_t)
>
>   manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
>   manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
> @@ -90,6 +91,7 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
>   manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
>   manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
>   fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
> +can_exec(rpm_t, rpm_tmpfs_t)
>
>   manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
>   manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
> @@ -102,6 +104,7 @@ files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
>   manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
>   files_pid_filetrans(rpm_t, rpm_var_run_t, file)
>
> +kernel_read_crypto_sysctls(rpm_t)
>   kernel_read_network_state(rpm_t)
>   kernel_read_system_state(rpm_t)
>   kernel_read_kernel_sysctls(rpm_t)
> @@ -241,7 +244,10 @@ allow rpm_script_t rpm_tmp_t:file read_file_perms;
>   allow rpm_script_t rpm_script_tmp_t:dir mounton;
>   manage_dirs_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
>   manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
> +manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
> +manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
>   files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
> +can_exec(rpm_script_t, rpm_script_tmp_t)
>
>   manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
>   manage_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
> @@ -249,7 +255,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
>   manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
>   manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
>   fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
> +can_exec(rpm_script_t, rpm_script_tmpfs_t)
>
> +kernel_read_crypto_sysctls(rpm_script_t)
>   kernel_read_kernel_sysctls(rpm_script_t)
>   kernel_read_system_state(rpm_script_t)
>   kernel_read_network_state(rpm_script_t)
> @@ -356,6 +364,10 @@ optional_policy(`
>   ')
>
>   optional_policy(`
> +	ntp_domtrans(rpm_script_t)
> +')
> +
> +optional_policy(`
>   	tzdata_domtrans(rpm_t)
>   	tzdata_domtrans(rpm_script_t)
>   ')


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com