diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
index 7ebe9f6..4d62773 100644
--- a/policy/modules/admin/rpm.fc
+++ b/policy/modules/admin/rpm.fc
@@ -1,18 +1,20 @@
/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
+/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
ifdef(`distro_redhat', `
/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -23,13 +25,18 @@ ifdef(`distro_redhat', `
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
-/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
+/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
+/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
+/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
+
# SuSE
ifdef(`distro_suse', `
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
index c7b136a..1f49c10 100644
--- a/policy/modules/admin/rpm.if
+++ b/policy/modules/admin/rpm.if
@@ -92,6 +92,24 @@ interface(`rpm_exec',`
########################################
## <summary>
+## Send a null signal to rpm.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_signull',`
+ gen_require(`
+ type rpm_t;
+ ')
+
+ allow $1 rpm_t:process signull;
+')
+
+########################################
+## <summary>
## Inherit and use file descriptors from RPM.
## </summary>
## <param name="domain">
@@ -167,6 +185,86 @@ interface(`rpm_dbus_chat',`
########################################
## <summary>
+## Do not audit attempts to send and
+## receive messages from rpm over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_dontaudit_dbus_chat',`
+ gen_require(`
+ type rpm_t;
+ class dbus send_msg;
+ ')
+
+ dontaudit $1 rpm_t:dbus send_msg;
+ dontaudit rpm_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## rpm_script over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_script_dbus_chat',`
+ gen_require(`
+ type rpm_script_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 rpm_script_t:dbus send_msg;
+ allow rpm_script_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Search RPM log directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`rpm_search_log',`
+ gen_require(`
+ type rpm_log_t;
+ ')
+
+ allow $1 rpm_log_t:dir search_dir_perms;
+')
+
+#####################################
+## <summary>
+## Allow the specified domain to append
+## to rpm log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_append_log',`
+ gen_require(`
+ type rpm_log_t;
+ ')
+
+ logging_search_logs($1)
+ append_files_pattern($1, rpm_log_t, rpm_log_t)
+')
+
+########################################
+## <summary>
## Create, read, write, and delete the RPM log.
## </summary>
## <param name="domain">
@@ -222,6 +320,107 @@ interface(`rpm_manage_script_tmp_files',`
manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
')
+#####################################
+## <summary>
+## Allow the specified domain to append
+## to rpm tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_append_tmp_files',`
+ gen_require(`
+ type rpm_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ append_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete RPM
+## temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_manage_tmp_files',`
+ gen_require(`
+ type rpm_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
+')
+
+########################################
+## <summary>
+## Read RPM script temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_read_script_tmp_files',`
+ gen_require(`
+ type rpm_script_tmp_t;
+ ')
+
+ read_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
+ read_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
+')
+
+########################################
+## <summary>
+## Read the RPM cache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_read_cache',`
+ gen_require(`
+ type rpm_var_cache_t;
+ ')
+
+ files_search_var($1)
+ allow $1 rpm_var_cache_t:dir list_dir_perms;
+ read_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+ read_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the RPM package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_manage_cache',`
+ gen_require(`
+ type rpm_var_cache_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+ manage_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+ manage_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+')
+
########################################
## <summary>
## Read the RPM package database.
@@ -245,6 +444,24 @@ interface(`rpm_read_db',`
########################################
## <summary>
+## Delete the RPM package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_delete_db',`
+ gen_require(`
+ type rpm_var_lib_t;
+ ')
+
+ delete_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
+')
+
+########################################
+## <summary>
## Create, read, write, and delete the RPM package database.
## </summary>
## <param name="domain">
@@ -283,3 +500,59 @@ interface(`rpm_dontaudit_manage_db',`
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
+
+#####################################
+## <summary>
+## Read rpm pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_read_pid_files',`
+ gen_require(`
+ type rpm_var_run_t;
+ ')
+
+ read_files_pattern($1,rpm_var_run_t,rpm_var_run_t)
+ files_search_pids($1)
+')
+
+#####################################
+## <summary>
+## Create, read, write, and delete rpm pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_manage_pid_files',`
+ gen_require(`
+ type rpm_var_run_t;
+ ')
+
+ manage_files_pattern($1,rpm_var_run_t,rpm_var_run_t)
+ files_search_pids($1)
+')
+
+######################################
+## <summary>
+## Create files in /var/run with the rpm pid file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`rpm_pid_filetrans',`
+ gen_require(`
+ type rpm_var_run_t;
+ ')
+
+ files_pid_filetrans($1, rpm_var_run_t, file)
+')
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index f853355..8881b7e 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -1,5 +1,5 @@
-policy_module(rpm, 1.10.0)
+policy_module(rpm, 1.10.1)
########################################
#
@@ -31,6 +31,12 @@ type rpm_var_lib_t;
files_type(rpm_var_lib_t)
typealias rpm_var_lib_t alias var_lib_rpm_t;
+type rpm_var_cache_t;
+files_type(rpm_var_cache_t)
+
+type rpm_var_run_t;
+files_pid_file(rpm_var_run_t)
+
type rpm_script_t;
type rpm_script_exec_t;
domain_obj_id_change_exemption(rpm_script_t)
@@ -52,8 +58,9 @@ files_tmpfs_file(rpm_script_tmpfs_t)
# rpm Local policy
#
-allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid sys_chroot sys_tty_config mknod };
-allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
+
+allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
allow rpm_t self:fd use;
allow rpm_t self:fifo_file rw_fifo_file_perms;
@@ -83,10 +90,18 @@ manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
+manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
+files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
+
# Access /var/lib/rpm files
manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
+manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
+files_pid_filetrans(rpm_t, rpm_var_run_t, file)
+
+kernel_read_network_state(rpm_t)
kernel_read_system_state(rpm_t)
kernel_read_kernel_sysctls(rpm_t)
@@ -108,8 +123,9 @@ corenet_sendrecv_all_client_packets(rpm_t)
dev_list_sysfs(rpm_t)
dev_list_usbfs(rpm_t)
dev_read_urand(rpm_t)
-#devices_manage_all_device_types(rpm_t)
+fs_getattr_all_dirs(rpm_t)
+fs_list_inotifyfs(rpm_t)
fs_manage_nfs_dirs(rpm_t)
fs_manage_nfs_files(rpm_t)
fs_manage_nfs_symlinks(rpm_t)
@@ -132,6 +148,8 @@ storage_raw_write_fixed_disk(rpm_t)
# for installing kernel packages
storage_raw_read_fixed_disk(rpm_t)
+term_list_ptys(rpm_t)
+
auth_relabel_all_files_except_shadow(rpm_t)
auth_manage_all_files_except_shadow(rpm_t)
auth_dontaudit_read_shadow(rpm_t)
@@ -155,6 +173,7 @@ domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
files_exec_etc_files(rpm_t)
init_domtrans_script(rpm_t)
+init_use_script_ptys(rpm_t)
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
@@ -174,7 +193,15 @@ optional_policy(`
')
optional_policy(`
- hal_dbus_chat(rpm_t)
+ dbus_system_domain(rpm_t, rpm_exec_t)
+
+ optional_policy(`
+ hal_dbus_chat(rpm_t)
+ ')
+
+ optional_policy(`
+ networkmanager_dbus_chat(rpm_t)
+ ')
')
optional_policy(`
@@ -185,26 +212,9 @@ optional_policy(`
unconfined_domain(rpm_t)
# yum-updatesd requires this
unconfined_dbus_chat(rpm_t)
+ unconfined_dbus_chat(rpm_script_t)
')
-ifdef(`TODO',`
-# read/write/create any files in the system
-dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
-allow rpm_t ttyfile:chr_file unlink;
-
-# needs rw permission to the directory for an rpm package that includes a mount
-# point
-allow rpm_t fs_type:dir { setattr rw_dir_perms };
-
-allow rpm_t mount_t:tcp_socket write;
-
-allow rpm_t rpc_pipefs_t:dir search;
-
-optional_policy(`
-allow rpm_t sysadm_gph_t:fd use;
-')
-') dnl endif TODO
-
########################################
#
# rpm-script Local policy
@@ -239,6 +249,8 @@ fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_fi
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)
+kernel_read_network_state(rpm_script_t)
+kernel_read_software_raid_state(rpm_script_t)
dev_list_sysfs(rpm_script_t)
@@ -250,6 +262,8 @@ dev_manage_all_chr_files(rpm_script_t)
fs_manage_nfs_files(rpm_script_t)
fs_getattr_nfs(rpm_script_t)
+fs_search_all(rpm_script_t)
+fs_getattr_all_fs(rpm_script_t)
# why is this not using mount?
fs_getattr_xattr_fs(rpm_script_t)
fs_mount_xattr_fs(rpm_script_t)
@@ -272,6 +286,8 @@ selinux_compute_user_contexts(rpm_script_t)
storage_raw_read_fixed_disk(rpm_script_t)
storage_raw_write_fixed_disk(rpm_script_t)
+term_getattr_unallocated_ttys(rpm_script_t)
+term_list_ptys(rpm_script_t)
term_use_all_terms(rpm_script_t)
auth_dontaudit_getattr_shadow(rpm_script_t)
@@ -293,6 +309,7 @@ files_read_etc_runtime_files(rpm_script_t)
files_exec_usr_files(rpm_script_t)
init_domtrans_script(rpm_script_t)
+init_telinit(rpm_script_t)
libs_exec_ld_so(rpm_script_t)
libs_exec_lib_files(rpm_script_t)
@@ -326,11 +343,19 @@ optional_policy(`
')
optional_policy(`
+ lvm_domtrans(rpm_script_t)
+')
+
+optional_policy(`
tzdata_domtrans(rpm_t)
tzdata_domtrans(rpm_script_t)
')
optional_policy(`
+ udev_domtrans(rpm_script_t)
+')
+
+optional_policy(`
unconfined_domain(rpm_script_t)
unconfined_domtrans(rpm_script_t)