Re: [SE/Linux] status / progress report 13jun2004
On Fri, 18 Jun 2004 05:33, Simon Richter <sjr@debian.org> wrote:
> Hi,
>
> [labeling files for SE/Linux]
>
> > > Why can't this just be done in postinst?
> >
> > Sure it could be done in the postinst, if I could change the postinst
> > file of every package in Debian and keep the changes up to date...
>
> Are these labels required for every package, or can they be left out for
> programs that are meant to be called by users and need no special
> privileges?
Most packages don't need anything special under the current policy, as in most
cases the contexts of the files match that of the directories that they are
in.
There's probably only a few hundred packages that really need per-file
labelling under the current policy.
However there can be different policies, a user could create their own policy
which requires different labelling. It is not possible for me to know the
precise list of which packages a SE Linux administrator may require such
labelling on right now, and we can expect things to change in future.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
Reply to: