Written by: Martin Orr

Let dpkg run loadkeys in correct domain
(when installing console-data)
Also let loadkeys use apt ptys

Still need to figure out about fgconsole, dumpkeys

Jun 21 11:34:13 caligula kernel: type=1400 audit(1214044453.144:10): avc:  denied  { read write } forpid=4049 comm="loadkeys" name="tty0" dev=tmpfs ino=603 scontext=system_u:system_r:dpkg_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
Jun 21 14:21:55 caligula kernel: type=1400 audit(1214054515.058:107): avc:  denied  { getattr } for  pid=13321 comm="loadkeys" path="/usr/share/keymaps/sun/sunt5-fi-latin1.kmap.gz" dev=dm-0 ino=551701 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1242552057.423:12): avc:  denied  { use } for  pid=10053 comm="loadkeys" path="/dev/pts/4" dev=devpts ino=7 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:system_r:apt_t:s0 tclass=fd
type=AVC msg=audit(1242552446.127:19): avc:  denied  { read write } for  pid=17704 comm="loadkeys" path="/dev/pts/4" dev=devpts ino=7 scontext=system_u:system_r:loadkeys_t:s0 tcontext=system_u:object_r:apt_devpts_t:s0 tclass=chr_file

Index: policy/modules/admin/dpkg.te
===================================================================
--- policy/modules/admin/dpkg.te.orig
+++ policy/modules/admin/dpkg.te
@@ -203,6 +203,10 @@
 ')
 
 optional_policy(`
+	loadkeys_domtrans(dpkg_t)
+')
+
+optional_policy(`
 	nis_use_ypbind(dpkg_t)
 ')
 
Index: policy/modules/apps/loadkeys.te
===================================================================
--- policy/modules/apps/loadkeys.te.orig
+++ policy/modules/apps/loadkeys.te
@@ -27,6 +27,7 @@
 
 files_read_etc_files(loadkeys_t)
 files_read_etc_runtime_files(loadkeys_t)
+files_read_usr_files(loadkeys_t)
 
 term_dontaudit_use_console(loadkeys_t)
 term_use_unallocated_ttys(loadkeys_t)
@@ -48,3 +49,14 @@
 optional_policy(`
 	nscd_dontaudit_search_pid(loadkeys_t)
 ')
+
+ifdef(`distro_debian',`
+	optional_policy(`
+		apt_use_fds(loadkeys_t)
+		apt_use_ptys(loadkeys_t)
+	')
+
+	optional_policy(`
+		dpkg_rw_tmp_files(loadkeys_t)
+	')
+')
Index: policy/modules/apps/loadkeys.fc
===================================================================
--- policy/modules/apps/loadkeys.fc.orig
+++ policy/modules/apps/loadkeys.fc
@@ -1,3 +1,5 @@
 
 /bin/loadkeys		--	gen_context(system_u:object_r:loadkeys_exec_t,s0)
 /bin/unikeys		--	gen_context(system_u:object_r:loadkeys_exec_t,s0)
+/bin/dumpkeys		--	gen_context(system_u:object_r:loadkeys_exec_t,s0)
+/bin/fgconsole		--	gen_context(system_u:object_r:loadkeys_exec_t,s0)
Index: policy/modules/admin/dpkg.if
===================================================================
--- policy/modules/admin/dpkg.if.orig
+++ policy/modules/admin/dpkg.if
@@ -224,3 +224,22 @@
 	allow $1 dpkg_var_lib_t:dir list_dir_perms;
 	allow $1 dpkg_lock_t:file manage_file_perms;
 ')
+
+########################################
+## <summary>
+##	Read and write dpkg (and maintainer script) temporary files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      The type of the process performing this action.
+##      </summary>
+## </param>
+#
+interface(`dpkg_rw_tmp_files',`
+	gen_require(`
+		type dpkg_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 dpkg_tmp_t:file rw_file_perms;
+')