Re: dpkg and selinux
On Wed, 1 Sep 2004 23:30, Scott James Remnant <scott@netsplit.com> wrote:
> It's an interesting one, certainly I'd suggest the right solution would
> be to do such commands in postinst until such time as it was the default
> and the tar format could carry this information. It would then become
> policy that it would be carried inside the tar file, just as chmod/
> chgrp/chown are carried today.
The problem with that idea is that there are many possible policies. Fedora
currently has two significantly different policies which require different
file labels on disk. Storing the data in the package for such things is not
going to work (and would require that all DDs have some SE Linux files
installed on their systems).
The right solution is to apply the regex set at install time.
> The thing that worries me about this file is that it contains policy for
> things I don't have installed on my system; and doesn't seem to cope
> well with differing policy for (e.g.) two binaries called 'ssh' which
> may have different requirements.
Only one binary can have the full path /usr/bin/ssh which is what matters.
> However I'm loath to embed specific selinux support into dpkg if it
> introduces extra dependencies, or causes problems for those not using
> it.
Getting it to work in Debian should not be difficult. Having a shared object
interface to make the SE Linux library a plug-in and thus support RSBAC etc
also shouldn't be too difficult.
> > i think only stephen, russell, dan or colin are in a position to
> > answer that.
>
> Sadly they've stopped answering my calls <g>
No, I've just been busy recently. I've got about 1600 messages to catch up on
at the moment...
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
Reply to: