65 lines
2.0 KiB
Diff
65 lines
2.0 KiB
Diff
From 47fe7d4c98809fcda9dfc8f1fab24cb6f765332c Mon Sep 17 00:00:00 2001
|
|
From: Zdenek Pytela <zpytela@redhat.com>
|
|
Date: Tue, 31 Jan 2023 19:12:39 +0100
|
|
Subject: [PATCH 1/5] Additional support for rpmdb_migrate
|
|
|
|
Since the 3a99b00da4 ("Label /usr/lib/rpm/rpmdb_migrate with rpmdb_exec_t")
|
|
commit, selinux-policy supports the rpmdb-migrate.service which is
|
|
executed after the first boot to a newer Fedora release to migrate the
|
|
rpm database from /var/lib/rpm to /usr/lib/sysimage/rpm.
|
|
Additional permissions started to be required recently.
|
|
|
|
Resolves: rhbz#2164752
|
|
---
|
|
policy/modules/contrib/rpm.te | 21 ++++++++++++++-------
|
|
1 file changed, 14 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
|
|
index 247f1fa7a..cf5539abb 100644
|
|
--- a/policy/modules/contrib/rpm.te
|
|
+++ b/policy/modules/contrib/rpm.te
|
|
@@ -260,26 +260,33 @@ optional_policy(`
|
|
# rpmdb local policy
|
|
#
|
|
|
|
-allow rpmdb_t rpm_var_lib_t:file map;
|
|
-allow rpmdb_t rpmdb_tmp_t:file map;
|
|
+can_exec(rpmdb_t, rpm_exec_t)
|
|
|
|
manage_dirs_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t)
|
|
manage_files_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t)
|
|
-files_usr_filetrans(rpmdb_t, rpm_var_lib_t, dir)
|
|
-files_var_lib_filetrans(rpmdb_t, rpm_var_lib_t, dir)
|
|
+read_lnk_files_pattern(rpmdb_t, rpm_var_lib_t, rpm_var_lib_t)
|
|
+allow rpmdb_t rpm_var_lib_t:file map;
|
|
|
|
manage_dirs_pattern(rpmdb_t, rpmdb_tmp_t, rpmdb_tmp_t)
|
|
manage_files_pattern(rpmdb_t, rpmdb_tmp_t, rpmdb_tmp_t)
|
|
files_tmp_filetrans(rpmdb_t, rpmdb_tmp_t, { file dir })
|
|
+allow rpmdb_t rpmdb_tmp_t:file map;
|
|
|
|
-term_use_all_inherited_terms(rpmdb_t)
|
|
-
|
|
-auth_dontaudit_read_passwd(rpmdb_t)
|
|
+corecmd_exec_bin(rpmdb_t)
|
|
+corecmd_exec_shell(rpmdb_t)
|
|
|
|
files_rw_inherited_non_security_files(rpmdb_t)
|
|
+files_usr_filetrans(rpmdb_t, rpm_var_lib_t, dir)
|
|
+files_var_lib_filetrans(rpmdb_t, rpm_var_lib_t, dir)
|
|
|
|
sysnet_dontaudit_read_config(rpmdb_t)
|
|
|
|
+term_use_all_inherited_terms(rpmdb_t)
|
|
+
|
|
+optional_policy(`
|
|
+ auth_dontaudit_read_passwd(rpmdb_t)
|
|
+')
|
|
+
|
|
optional_policy(`
|
|
miscfiles_read_generic_certs(rpmdb_t)
|
|
')
|
|
--
|
|
2.33.0
|
|
|