[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: dpkg branches

On Tue, 9 Nov 2004 17:55:23 -0600 (CST), Adam Heath <doogie@debian.org> said: 

> On Wed, 3 Nov 2004, Scott James Remnant wrote:
>> Yeah, but there are two thoughts on how to do this.  The patch in
>> the BTS at the moment adds a /etc/dpkg/postinst.d directory whose
>> contents get run every time a package is installed.  You drop an
>> SELinux script in there to update contexcts.

> This is so very wrong on so many levels.  It does not consider any
> fail states, nor transactions.  Ie, what happens to the package
> being installed when some hook fails?  What happens if a new hook is
> installed after several packages are installed?

	Before getting into lets-examine-the-bark-on-this-tree, I
 would like to step back and have a look at the forest:

	When a packages files are installed, there is already
 something in place to ensure that ownership and permissions are set
 correctly (implementation details are irrelevant, even if it is just
 tar doing the job). SELinux security contexts are another layer of
 file attributes, except that they are different from the unix
 ownership/permissions in that they are modified by local sysadmin

	So, after tha package is unpacked, but before anything can use
 one of the files just deposited on the file system, something that is
 aware of local security policies must go in and paint the contexts on
 these files (there is a simple call that does this).

	Now, how this is implemented I'll leave to the dpkg domain
 experts -- but a per package script seems suboptimal.

"Stop annoying Mister President with impertinent questions, Junior."
Death Race 2000
Manoj Srivastava     <srivasta@acm.org>    <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to: