Re: Bug#307139: dpkg: Please pull from srivasta@debian.org--2005-selinux/dpkg--selinux--1.13
Hi,
On Tue, 17 May 2005 13:17:56 +0100, Scott James Remnant <scott@netsplit.com> said:
> On Sun, 2005-05-01 at 00:26 -0500, Manoj Srivastava wrote:
>> I have created a small (68 lines addition in lib/star.c) patch for
>> SELinux support in dpkg. This is against the version pulled from
>> scott@netsplit.com--2005/dpkg--devel--1.13--patch-137. Adding in
>> changes to configure, Makefile.am's for the binaries, ChangeLog,
>> and ./debian/changelog, we have 188 lines of addtions, 7 deletions
>> over 10 files (the bulk being 68 lines of code change and 30 lines
>> of ChangeLog).
>>
> I'm not sure that perror() is appropriate, is it really just a
> warning if the context set fails or should ohshite() be called to
> abort the installation?
This is a preference thing. If the context set fails, then
the file shall be installed like any file that the sys admin
unpacked using tar -- that is, in the sysadm_t domain. The package
may or may not be usable, depending on the security policy. It should
be easier for a human to fix the security context manually if the
file existed on disk.
My first instinct was to not bomb out on the very first
version where Se-Linux support has been implemented -- we cna always
add the abort call once we are relatively sure that things do not
screw up.
Technically, inability to set the security context is a
symptom of something really wrong, and it would make sense to abort
at this point before we move back into Sid.
manoj
--
You can never tell which way the train went by looking at the tracks.
Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: