From 82e284bb893a629c55b7b386af5ffdd8beede0bb Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Wed, 11 Apr 2007 13:31:10 +0000
Subject: [PATCH] last piece of dan's previous patch

---
 policy/modules/admin/rpm.if        | 20 ++++++++++++++++++++
 policy/modules/system/libraries.te |  7 +++++++
 2 files changed, 27 insertions(+)

diff --git a/policy/modules/admin/rpm.if b/policy/modules/admin/rpm.if
index 11b82978..57fc54f8 100644
--- a/policy/modules/admin/rpm.if
+++ b/policy/modules/admin/rpm.if
@@ -209,6 +209,26 @@ interface(`rpm_use_script_fds',`
 	allow $1 rpm_script_t:fd use;
 ')
 
+########################################
+## <summary>
+##	Create, read, write, and delete RPM
+##	script temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rpm_manage_script_tmp_files',`
+	gen_require(`
+		type rpm_script_tmp_t;
+	')
+
+	files_search_tmp($1)
+	manage_files_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t)
+')
+
 ########################################
 ## <summary>
 ##	Read the RPM package database.
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 41c7879e..5563a383 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -107,3 +107,10 @@ optional_policy(`
 	# dontaudit access to /usr/lib/apache, normal programs cannot read these libs anyway
 	apache_dontaudit_search_modules(ldconfig_t)
 ')
+
+optional_policy(`
+	# When you install a kernel the postinstall builds a initrd image in tmp 
+	# and executes ldconfig on it.  If you dont allow this kernel installs 
+	# blow up.
+	rpm_manage_script_tmp_files(ldconfig_t)
+')