## <module name="rpm">
## <summary>Policy for the RPM package manager.</summary>

########################################
## <interface name="rpm_domtrans">
##	<description>
##		Execute rpm programs in the rpm domain.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`rpm_domtrans',`
	gen_require(`
		type rpm_t, rpm_exec_t;
		class process sigchld;
		class fd use;
		class fifo_file rw_file_perms;
	')

	files_search_usr($1)
	corecmd_search_bin($1)
	domain_auto_trans($1,rpm_exec_t,rpm_t)

	allow $1 rpm_t:fd use;
	allow rpm_t $1:fd use;
	allow rpm_t $1:fifo_file rw_file_perms;
	allow rpm_t $1:process sigchld;
')

########################################
## <interface name="rpm_run">
##	<description>
##		Execute RPM programs in the RPM domain.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<parameter name="role">
##		The role to allow the RPM domain.
##	</parameter>
##	<parameter name="terminal">
##		The type of the terminal allow the RPM domain to use.
##	</parameter>
## </interface>
#
define(`rpm_run',`
	gen_require(`
		type rpm_t, rpm_script_t;
		class chr_file rw_term_perms;
	')

	rpm_domtrans($1)
	role $2 types rpm_t;
	role $2 types rpm_script_t;
	allow rpm_t $3:chr_file rw_term_perms;
')

########################################
## <interface name="rpm_use_fd">
##	<description>
##		Inherit and use file descriptors from RPM.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`rpm_use_fd',`
	gen_require(`
		type rpm_t;
		class fd use;
	')

	allow $1 rpm_t:fd use;
')

########################################
## <interface name="rpm_read_pipe">
##	<description>
##		Read from a RPM pipe.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`rpm_read_pipe',`
	gen_require(`
		type rpm_t;
		class fifo_file r_file_perms;
	')

	allow $1 rpm_t:fifo_file r_file_perms;
')

########################################
## <interface name="rpm_read_db">
##	<description>
##		Read RPM package database.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`rpm_read_db',`
	gen_require(`
		type rpm_var_lib_t_t;
		class dir r_dir_perms;
		class lnk_file r_file_perms;
		class file r_file_perms;
	')

	allow $1 rpm_var_lib_t:dir r_dir_perms;
	allow $1 rpm_var_lib_t:file r_file_perms;
	allow $1 rpm_var_lib_t:lnk_file r_file_perms;
')

########################################
#
# rpm_manage_db(domain)
#
define(`rpm_manage_db',`
	gen_require(`
		type rpm_var_lib_t_t;
		class dir rw_dir_perms;
		class lnk_file { getattr read write unlink };
		class file { getattr create read write append unlink };
	')

	allow $1 rpm_var_lib_t:dir rw_dir_perms;
	allow $1 rpm_var_lib_t:file { getattr create read write append unlink };
	allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
')

## </module>