Re: dpkg branches
On Tue, 9 Nov 2004 17:55:23 -0600 (CST), Adam Heath <doogie@debian.org> said:
> On Wed, 3 Nov 2004, Scott James Remnant wrote:
>> Yeah, but there are two thoughts on how to do this. The patch in
>> the BTS at the moment adds a /etc/dpkg/postinst.d directory whose
>> contents get run every time a package is installed. You drop an
>> SELinux script in there to update contexcts.
> This is so very wrong on so many levels. It does not consider any
> fail states, nor transactions. Ie, what happens to the package
> being installed when some hook fails? What happens if a new hook is
> installed after several packages are installed?
Before getting into lets-examine-the-bark-on-this-tree, I
would like to step back and have a look at the forest:
When a packages files are installed, there is already
something in place to ensure that ownership and permissions are set
correctly (implementation details are irrelevant, even if it is just
tar doing the job). SELinux security contexts are another layer of
file attributes, except that they are different from the unix
ownership/permissions in that they are modified by local sysadmin
policy.
So, after tha package is unpacked, but before anything can use
one of the files just deposited on the file system, something that is
aware of local security policies must go in and paint the contexts on
these files (there is a simple call that does this).
Now, how this is implemented I'll leave to the dpkg domain
experts -- but a per package script seems suboptimal.
manoj
--
"Stop annoying Mister President with impertinent questions, Junior."
Death Race 2000
Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: