## ## Policy for the RPM package manager. ######################################## ## ## ## Execute rpm programs in the rpm domain. ## ## ## The type of the process performing this action. ## ## # define(`rpm_domtrans',` requires_block_template(`$0'_depend) allow $1 rpm_exec_t:file rx_file_perms; allow $1 rpm_t:process transition; type_transition $1 rpm_exec_t:process rpm_t; dontaudit $1 rpm_t:process { noatsecure siginh rlimitinh }; allow $1 rpm_t:fd use; allow rpm_t $1:fd use; allow rpm_t $1:fifo_file rw_file_perms; allow rpm_t $1:process sigchld; ') define(`rpm_domtrans_depend',` type rpm_t, rpm_exec_t; class file rx_file_perms; class process { transition noatsecure siginh rlimitinh sigchld }; class fd use; class fifo_file rw_file_perms; ') ######################################## ## ## ## Execute RPM programs in the RPM domain. ## ## ## The type of the process performing this action. ## ## ## The role to allow the RPM domain. ## ## ## The type of the terminal allow the RPM domain to use. ## ## # define(`rpm_run',` requires_block_template(`$0'_depend) rpm_domtrans($1) role $2 types rpm_t; role $2 types rpm_script_t; allow rpm_t $3:chr_file { getattr read write ioctl }; ') define(`rpm_run_depend',` type rpm_t, rpm_script_t; class chr_file { getattr read write ioctl }; ') ######################################## ## ## ## Inherit and use file descriptors from RPM. ## ## ## The type of the process performing this action. ## ## # define(`rpm_use_fd',` requires_block_template(`$0'_depend) allow $1 rpm_t:fd use; ') define(`rpm_use_fd_depend',` type rpm_t; class fd use; ') ######################################## ## ## ## Read from a RPM pipe. ## ## ## The type of the process performing this action. ## ## # define(`rpm_read_pipe',` requires_block_template(`$0'_depend) allow $1 rpm_t:fifo_file r_file_perms; ') define(`rpm_read_pipe_depend',` type rpm_t; class fifo_file r_file_perms; ') ######################################## ## ## ## Read RPM package database. ## ## ## The type of the process performing this action. ## ## # define(`rpm_read_db',` requires_block_template(`$0'_depend) allow $1 rpm_var_lib_t:dir r_dir_perms; allow $1 rpm_var_lib_t:file r_file_perms; allow $1 rpm_var_lib_t:lnk_file r_file_perms; ') define(`rpm_read_db_depend',` type rpm_var_lib_t_t; class dir r_dir_perms; class lnk_file r_file_perms; class file r_file_perms; ') ######################################## # # rpm_manage_db(domain) # define(`rpm_manage_db',` requires_block_template(`$0'_depend) allow $1 rpm_var_lib_t:dir rw_dir_perms; allow $1 rpm_var_lib_t:file { getattr create read write append unlink }; allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink }; ') define(`rpm_manage_db_depend',` type rpm_var_lib_t_t; class dir rw_dir_perms; class lnk_file { getattr read write unlink }; class file { getattr create read write append unlink }; ') ##