RPM patch from Dan Walsh.

policy/modules/admin/rpm.fc

@@ -1,18 +1,20 @@
 
 /bin/rpm 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/rpm 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/bin/smart 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
 
 /usr/bin/yum 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
 
-/usr/lib(64)?/rpm/rpmd		-- 	gen_context(system_u:object_r:bin_t,s0)
+/usr/libexec/yumDBUSBackend.py	--	gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/lib(64)?/rpm/rpmq		-- 	gen_context(system_u:object_r:bin_t,s0)
+
-/usr/lib(64)?/rpm/rpmk		-- 	gen_context(system_u:object_r:bin_t,s0)
+/usr/sbin/yum-complete-transaction --	gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/lib(64)?/rpm/rpmv		-- 	gen_context(system_u:object_r:bin_t,s0)
 
 /usr/sbin/system-install-packages --	gen_context(system_u:object_r:rpm_exec_t,s0)
 /usr/sbin/yum-updatesd		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/sbin/packagekitd		--	gen_context(system_u:object_r:rpm_exec_t,s0)
 
-/usr/share/yumex/yumex		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/share/yumex/yumex-yum-backend --	gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/share/yumex/yum_childtask\.py --	gen_context(system_u:object_r:rpm_exec_t,s0)
 
 ifdef(`distro_redhat', `
 /usr/bin/fedora-rmdevelrpms	--	gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -23,13 +25,18 @@ ifdef(`distro_redhat', `
 /usr/sbin/up2date		--	gen_context(system_u:object_r:rpm_exec_t,s0)
 ')
 
-/var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/cache/yum(/.*)?			gen_context(system_u:object_r:rpm_var_cache_t,s0)
 
+/var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
 /var/lib/rpm(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/yum(/.*)?			gen_context(system_u:object_r:rpm_var_lib_t,s0)
 
 /var/log/rpmpkgs.*		--	gen_context(system_u:object_r:rpm_log_t,s0)
 /var/log/yum\.log.*		--	gen_context(system_u:object_r:rpm_log_t,s0)
 
+/var/run/yum.*			--	gen_context(system_u:object_r:rpm_var_run_t,s0)
+/var/run/PackageKit(/.*)?		gen_context(system_u:object_r:rpm_var_run_t,s0)
+
 # SuSE
 ifdef(`distro_suse', `
 /usr/bin/online_update		--	gen_context(system_u:object_r:rpm_exec_t,s0)

policy/modules/admin/rpm.if

@@ -90,6 +90,24 @@ interface(`rpm_exec',`
 	can_exec($1, rpm_exec_t)
 ')
 
+########################################
+## <summary>
+##	Send a null signal to rpm.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_signull',`
+	gen_require(`
+		type rpm_t;
+	')
+
+	allow $1 rpm_t:process signull;
+')
+
 ########################################
 ## <summary>
 ##	Inherit and use file descriptors from RPM.
@@ -165,6 +183,86 @@ interface(`rpm_dbus_chat',`
 	allow rpm_t $1:dbus send_msg;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to send and
+##	receive messages from rpm over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_dontaudit_dbus_chat',`
+	gen_require(`
+		type rpm_t;
+		class dbus send_msg;
+	')
+
+	dontaudit $1 rpm_t:dbus send_msg;
+	dontaudit rpm_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	rpm_script over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_script_dbus_chat',`
+	gen_require(`
+		type rpm_script_t;
+		class dbus send_msg;
+	')
+
+	allow $1 rpm_script_t:dbus send_msg;
+	allow rpm_script_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Search RPM log directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`rpm_search_log',`
+	gen_require(`
+		type rpm_log_t;
+	')
+
+	allow $1 rpm_log_t:dir search_dir_perms;
+')
+
+#####################################
+## <summary>
+##      Allow the specified domain to append
+##      to rpm log files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`rpm_append_log',`
+        gen_require(`
+                type rpm_log_t;
+        ')
+
+        logging_search_logs($1)
+        append_files_pattern($1, rpm_log_t, rpm_log_t)
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete the RPM log.
@@ -222,6 +320,107 @@ interface(`rpm_manage_script_tmp_files',`
 	manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
 ')
 
+#####################################
+## <summary>
+##      Allow the specified domain to append
+##      to rpm tmp files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`rpm_append_tmp_files',`
+        gen_require(`
+                type rpm_tmp_t;
+        ')
+
+        files_search_tmp($1)
+        append_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete RPM
+##	 temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_manage_tmp_files',`
+	gen_require(`
+		type rpm_tmp_t;
+	')
+
+	files_search_tmp($1)
+	manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
+')
+
+########################################
+## <summary>
+##	Read RPM script temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_read_script_tmp_files',`
+	gen_require(`
+		type rpm_script_tmp_t;
+	')
+
+	read_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
+	read_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
+')
+
+########################################
+## <summary>
+##	Read the RPM cache.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_read_cache',`
+	gen_require(`
+		type rpm_var_cache_t;
+	')
+
+	files_search_var($1)
+	allow $1 rpm_var_cache_t:dir list_dir_perms;
+	read_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+	read_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete the RPM package database.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_manage_cache',`
+	gen_require(`
+		type rpm_var_cache_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+	manage_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+	manage_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+')
+
 ########################################
 ## <summary>
 ##	Read the RPM package database.
@@ -243,6 +442,24 @@ interface(`rpm_read_db',`
 	read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
 ')
 
+########################################
+## <summary>
+##	Delete the RPM package database.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_delete_db',`
+	gen_require(`
+		type rpm_var_lib_t;
+	')
+
+	delete_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete the RPM package database.
@@ -283,3 +500,59 @@ interface(`rpm_dontaudit_manage_db',`
 	dontaudit $1 rpm_var_lib_t:file manage_file_perms;
 	dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
 ')
+
+#####################################
+## <summary>
+##      Read rpm pid files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`rpm_read_pid_files',`
+        gen_require(`
+                type rpm_var_run_t;
+        ')
+
+	read_files_pattern($1,rpm_var_run_t,rpm_var_run_t)
+	files_search_pids($1)
+')
+
+#####################################
+## <summary>
+##      Create, read, write, and delete rpm pid files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`rpm_manage_pid_files',`
+        gen_require(`
+                type rpm_var_run_t;
+        ')
+
+        manage_files_pattern($1,rpm_var_run_t,rpm_var_run_t)
+	files_search_pids($1)
+')
+
+######################################
+## <summary>
+##      Create files in /var/run with the rpm pid file type.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`rpm_pid_filetrans',`
+        gen_require(`
+                type rpm_var_run_t;
+        ')
+
+        files_pid_filetrans($1, rpm_var_run_t, file)
+')

policy/modules/admin/rpm.te

@@ -1,5 +1,5 @@
 
-policy_module(rpm, 1.10.0)
+policy_module(rpm, 1.10.1)
 
 ########################################
 #
@@ -31,6 +31,12 @@ type rpm_var_lib_t;
 files_type(rpm_var_lib_t)
 typealias rpm_var_lib_t alias var_lib_rpm_t;
 
+type rpm_var_cache_t;
+files_type(rpm_var_cache_t)
+
+type rpm_var_run_t;
+files_pid_file(rpm_var_run_t)
+
 type rpm_script_t;
 type rpm_script_exec_t;
 domain_obj_id_change_exemption(rpm_script_t)
@@ -52,8 +58,9 @@ files_tmpfs_file(rpm_script_tmpfs_t)
 # rpm Local policy
 #
 
-allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid sys_chroot sys_tty_config mknod };
+allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
-allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+
+allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
 allow rpm_t self:process { getattr setexec setfscreate setrlimit };
 allow rpm_t self:fd use;
 allow rpm_t self:fifo_file rw_fifo_file_perms;
@@ -83,10 +90,18 @@ manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
 manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
 fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
 
+manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
+manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
+files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
+
 # Access /var/lib/rpm files
 manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
 files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
 
+manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
+files_pid_filetrans(rpm_t, rpm_var_run_t, file)
+
+kernel_read_network_state(rpm_t)
 kernel_read_system_state(rpm_t)
 kernel_read_kernel_sysctls(rpm_t)
 
@@ -108,8 +123,9 @@ corenet_sendrecv_all_client_packets(rpm_t)
 dev_list_sysfs(rpm_t)
 dev_list_usbfs(rpm_t)
 dev_read_urand(rpm_t)
-#devices_manage_all_device_types(rpm_t)
 
+fs_getattr_all_dirs(rpm_t)
+fs_list_inotifyfs(rpm_t)
 fs_manage_nfs_dirs(rpm_t)
 fs_manage_nfs_files(rpm_t)
 fs_manage_nfs_symlinks(rpm_t)
@@ -132,6 +148,8 @@ storage_raw_write_fixed_disk(rpm_t)
 # for installing kernel packages
 storage_raw_read_fixed_disk(rpm_t)
 
+term_list_ptys(rpm_t)
+
 auth_relabel_all_files_except_shadow(rpm_t)
 auth_manage_all_files_except_shadow(rpm_t)
 auth_dontaudit_read_shadow(rpm_t)
@@ -155,6 +173,7 @@ domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
 files_exec_etc_files(rpm_t)
 
 init_domtrans_script(rpm_t)
+init_use_script_ptys(rpm_t)
 
 libs_exec_ld_so(rpm_t)
 libs_exec_lib_files(rpm_t)
@@ -174,7 +193,15 @@ optional_policy(`
 ')
 
 optional_policy(`
-	hal_dbus_chat(rpm_t)
+	dbus_system_domain(rpm_t, rpm_exec_t)
+
+	optional_policy(`
+		hal_dbus_chat(rpm_t)
+	')
+
+	optional_policy(`
+		networkmanager_dbus_chat(rpm_t)
+	')
 ')
 
 optional_policy(`
@@ -185,26 +212,9 @@ optional_policy(`
 	unconfined_domain(rpm_t)
 	# yum-updatesd requires this
 	unconfined_dbus_chat(rpm_t)
+	unconfined_dbus_chat(rpm_script_t)
 ')
 
-ifdef(`TODO',`
-# read/write/create any files in the system
-dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
-allow rpm_t ttyfile:chr_file unlink;
-
-# needs rw permission to the directory for an rpm package that includes a mount
-# point
-allow rpm_t fs_type:dir { setattr rw_dir_perms };
-
-allow rpm_t mount_t:tcp_socket write;
-
-allow rpm_t rpc_pipefs_t:dir search;
-
-optional_policy(`
-allow rpm_t sysadm_gph_t:fd use;
-')
-') dnl endif TODO
-
 ########################################
 #
 # rpm-script Local policy
@@ -239,6 +249,8 @@ fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_fi
 
 kernel_read_kernel_sysctls(rpm_script_t)
 kernel_read_system_state(rpm_script_t)
+kernel_read_network_state(rpm_script_t)
+kernel_read_software_raid_state(rpm_script_t)
 
 dev_list_sysfs(rpm_script_t)
 
@@ -250,6 +262,8 @@ dev_manage_all_chr_files(rpm_script_t)
 
 fs_manage_nfs_files(rpm_script_t)
 fs_getattr_nfs(rpm_script_t)
+fs_search_all(rpm_script_t)
+fs_getattr_all_fs(rpm_script_t)
 # why is this not using mount?
 fs_getattr_xattr_fs(rpm_script_t)
 fs_mount_xattr_fs(rpm_script_t)
@@ -272,6 +286,8 @@ selinux_compute_user_contexts(rpm_script_t)
 storage_raw_read_fixed_disk(rpm_script_t)
 storage_raw_write_fixed_disk(rpm_script_t)
 
+term_getattr_unallocated_ttys(rpm_script_t)
+term_list_ptys(rpm_script_t)
 term_use_all_terms(rpm_script_t)
 
 auth_dontaudit_getattr_shadow(rpm_script_t)
@@ -293,6 +309,7 @@ files_read_etc_runtime_files(rpm_script_t)
 files_exec_usr_files(rpm_script_t)
 
 init_domtrans_script(rpm_script_t)
+init_telinit(rpm_script_t)
 
 libs_exec_ld_so(rpm_script_t)
 libs_exec_lib_files(rpm_script_t)
@@ -325,11 +342,19 @@ optional_policy(`
 	bootloader_domtrans(rpm_script_t)
 ')
 
+optional_policy(`
+	lvm_domtrans(rpm_script_t)
+')
+
 optional_policy(`
 	tzdata_domtrans(rpm_t)
 	tzdata_domtrans(rpm_script_t)
 ')
 
+optional_policy(`
+	udev_domtrans(rpm_script_t)
+')
+
 optional_policy(`
 	unconfined_domain(rpm_script_t)
 	unconfined_domtrans(rpm_script_t)