Written by: Martin Orr

Let dpkg run grub-probe as bootloader_t (is this the right domain?)
Used when installing a kernel

Aug 13 22:12:54 caligula kernel: type=1400 audit(1218661974.726:1207): avc:  denied  { sys_admin } for pid=30883 comm="grub-probe" capability=21 scontext=system_u:system_r:dpkg_t:s0 tcontext=system_u:system_r:dpkg_t:s0 tclass=capability

Index: policy/modules/admin/bootloader.fc
===================================================================
--- policy/modules/admin/bootloader.fc.orig
+++ policy/modules/admin/bootloader.fc
@@ -7,3 +7,4 @@
 /sbin/ybin.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 
 /usr/sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/grub-probe	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
Index: policy/modules/admin/dpkg.te
===================================================================
--- policy/modules/admin/dpkg.te.orig
+++ policy/modules/admin/dpkg.te
@@ -189,6 +189,10 @@
 	apt_use_ptys(dpkg_t)
 ')
 
+optional_policy(`
+	bootloader_domtrans(dpkg_t)
+')
+
 # TODO: allow?
 #optional_policy(`
 #	cron_system_entry(dpkg_t,dpkg_exec_t)