Written by: Martin Orr

Attempt to make update-flashplugin-nonfree work
It runs wget and gpg, using dpkg tmp files
Script needs changed to restorecon libflashplayer.so
Still needs work for nspluginwrapper execmem

Dec  8 11:21:28 caligula kernel: type=1400 audit(1228735288.210:4): avc:  denied  { create } for  pid=4672 comm="wget" scontext=system_u:system_r:dpkg_t:s0 tcontext=system_u:system_r:dpkg_t:s0 tclass=netlink_route_socket                                                                                         
Dec  8 11:21:28 caligula kernel: type=1400 audit(1228735288.674:7): avc:  denied  { search } for  pid=4673 comm="gpg" name="flashplugin-nonfree.wpzcIwIhON" dev=dm-0 ino=405621 scontext=system_u:system_r:gpg_t:s0 tcontext=system_u:object_r:dpkg_tmp_t:s0 tclass=dir

Index: policy/modules/admin/dpkg.te
===================================================================
--- policy/modules/admin/dpkg.te.orig
+++ policy/modules/admin/dpkg.te
@@ -66,6 +66,7 @@
 allow dpkg_t self:msgq create_msgq_perms;
 allow dpkg_t self:msg { send receive };
 allow dpkg_t self:passwd { chfn rootok };
+allow dpkg_t self:netlink_route_socket r_netlink_socket_perms;
 
 # This is for se_aptitude et al, so that maintainer scripts can talk back.
 apt_use_fds(dpkg_script_t)
Index: policy/modules/admin/dpkg.if
===================================================================
--- policy/modules/admin/dpkg.if.orig
+++ policy/modules/admin/dpkg.if
@@ -243,3 +243,41 @@
 	files_search_tmp($1)
 	allow $1 dpkg_tmp_t:file rw_file_perms;
 ')
+
+########################################
+## <summary>
+##	Manage dpkg temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`dpkg_manage_tmp_files',`
+	gen_require(`
+		type dpkg_tmp_t;
+	')
+
+	files_search_tmp($1)
+	manage_files_pattern($1, dpkg_tmp_t, dpkg_tmp_t)
+')
+
+########################################
+## <summary>
+##	Read dpkg temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`dpkg_read_tmp_files',`
+	gen_require(`
+		type dpkg_tmp_t;
+	')
+
+	files_search_tmp($1)
+	read_files_pattern($1, dpkg_tmp_t, dpkg_tmp_t)
+')
Index: policy/modules/apps/gpg.te
===================================================================
--- policy/modules/apps/gpg.te.orig
+++ policy/modules/apps/gpg.te
@@ -157,6 +157,10 @@
 	cron_read_system_job_tmp_files(gpg_t)
 ')
 
+optional_policy(`
+	dpkg_manage_tmp_files(gpg_t)
+')
+
 ########################################
 #
 # GPG helper local policy