diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc
index 4d62773..b206bf6 100644
--- a/policy/modules/admin/rpm.fc
+++ b/policy/modules/admin/rpm.fc
@@ -1,5 +1,7 @@
/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
+
+/usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0)
/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
index 388518b..44624fe 100644
--- a/policy/modules/admin/rpm.if
+++ b/policy/modules/admin/rpm.if
@@ -22,6 +22,27 @@ interface(`rpm_domtrans',`
########################################
##
+## Execute debuginfo_install programs in the rpm domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rpm_debuginfo_domtrans',`
+ gen_require(`
+ type rpm_t;
+ type debuginfo_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, debuginfo_exec_t, rpm_t)
+')
+
+########################################
+##
## Execute rpm_script programs in the rpm_script domain.
##
##
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 8e36fcc..95dbcf3 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -1,10 +1,13 @@
-policy_module(rpm, 1.11.0)
+policy_module(rpm, 1.11.1)
########################################
#
# Declarations
#
+type debuginfo_exec_t;
+domain_entry_file(rpm_t, debuginfo_exec_t)
+
type rpm_t;
type rpm_exec_t;
init_system_domain(rpm_t, rpm_exec_t)
@@ -193,6 +196,7 @@ optional_policy(`
optional_policy(`
dbus_system_domain(rpm_t, rpm_exec_t)
+ dbus_system_domain(rpm_t, debuginfo_exec_t)
optional_policy(`
hal_dbus_chat(rpm_t)
@@ -219,8 +223,8 @@ optional_policy(`
# rpm-script Local policy
#
-allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
-allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_rawio sys_nice mknod kill net_admin };
+allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
allow rpm_script_t self:unix_dgram_socket create_socket_perms;
@@ -231,6 +235,7 @@ allow rpm_script_t self:shm create_shm_perms;
allow rpm_script_t self:sem create_sem_perms;
allow rpm_script_t self:msgq create_msgq_perms;
allow rpm_script_t self:msg { send receive };
+allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms;
allow rpm_script_t rpm_tmp_t:file read_file_perms;
@@ -293,6 +298,7 @@ auth_dontaudit_getattr_shadow(rpm_script_t)
auth_use_nsswitch(rpm_script_t)
# ideally we would not need this
auth_manage_all_files_except_shadow(rpm_script_t)
+auth_relabel_shadow(rpm_script_t)
corecmd_exec_all_executables(rpm_script_t)
@@ -306,6 +312,7 @@ domain_signull_all_domains(rpm_script_t)
files_exec_etc_files(rpm_script_t)
files_read_etc_runtime_files(rpm_script_t)
files_exec_usr_files(rpm_script_t)
+files_relabel_all_files(rpm_script_t)
init_domtrans_script(rpm_script_t)
init_telinit(rpm_script_t)
@@ -342,6 +349,10 @@ optional_policy(`
')
optional_policy(`
+ dbus_system_bus_client(rpm_script_t)
+')
+
+optional_policy(`
lvm_domtrans(rpm_script_t)
')