# Copyright (C) 2005 Tresys Technology, LLC ## ## Policy for the RPM package manager. ######################################## ## ## ## Execute rpm programs in the rpm domain. ## ## ## The type of the process performing this action. ## ## ## # define(`rpm_transition',` requires_block_template(`$0'_depend) allow $1 rpm_exec_t:file { getattr read execute }; allow $1 rpm_t:process transition; type_transition $1 rpm_exec_t:process rpm_t; dontaudit $1 rpm_t:process { noatsecure siginh rlimitinh }; allow $1 rpm_t:fd use; allow rpm_t $1:fd use; allow rpm_t $1:fifo_file rw_file_perms; allow rpm_t $1:process sigchld; ') define(`rpm_transition_depend',` type rpm_t, rpm_exec_t; class file { getattr read execute }; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; ') ######################################## ## ## ## Execute RPM programs in the RPM domain. ## ## ## The type of the process performing this action. ## ## ## The role to allow the RPM domain. ## ## ## The type of the terminal allow the RPM domain to use. ## ## ## # define(`rpm_transition_add_role_use_terminal',` requires_block_template(`$0'_depend) rpm_transition($1) role $2 types rpm_t; role $2 types rpm_script_t; allow rpm_t $3:chr_file { getattr read write ioctl }; ') define(`rpm_transition_add_role_use_terminal_depend',` type rpm_t, rpm_script_t; class chr_file { getattr read write ioctl }; ') ######################################## ## ## ## Inherit and use file descriptors from RPM. ## ## ## The type of the process performing this action. ## ## ## # define(`rpm_use_file_descriptors',` requires_block_template(`$0'_depend) allow $1 rpm_t:fd use; ') define(`rpm_use_file_descriptors_depend',` type rpm_t; class fd use; ') ######################################## ## ## ## Read from a RPM pipe. ## ## ## The type of the process performing this action. ## ## ## # define(`rpm_read_pipe',` requires_block_template(`$0'_depend) allow $1 rpm_t:fifo_file { getattr read }; ') define(`rpm_read_pipe_depend',` type rpm_t; class fifo_file { getattr read }; ') ######################################## ## ## ## Read RPM package database. ## ## ## The type of the process performing this action. ## ## ## # define(`rpm_read_package_database',` requires_block_template(`$0'_depend) allow $1 rpm_var_lib_t:dir { getattr read search }; allow $1 rpm_var_lib_t:file { read getattr }; allow $1 rpm_var_lib_t:lnk_file { getattr read }; ') define(`rpm_read_package_database_depend',` type rpm_var_lib_t_t; class dir { search getattr read }; class lnk_file { getattr read }; class file { getattr read }; ') ######################################## # # rpm_manage_package_database(domain) # define(`rpm_manage_package_database',` requires_block_template(`$0'_depend) allow $1 rpm_var_lib_t:dir { getattr search read write add_name remove_name }; allow $1 rpm_var_lib_t:file { getattr create read write append unlink }; allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink }; ') define(`rpm_manage_package_database_depend',` type rpm_var_lib_t_t; class dir { search getattr read }; class lnk_file { getattr read }; class file { getattr read }; ') ##