On Wed, Oct 10, 2007 at 12:44:07AM -0500, Manoj Srivastava wrote:
> > Manoj Srivastava writes ("Re: Triggers status?"):
> >> I also would love to have a pre-install trigger [...] to ensure that
> >> a SELinux policy for a package is loaded before the package is
> >> unpacked;
> Well, when one or more packages are going to be installed a
> <<not trigger but something that walks like a trigger, sounds like a
> trigger>> goes off,
So, afaics, Ian's triggers provide fairly weak ordering by time -- they'll
delay marking a package as installed a little bit, and consequent postinst
runs, but that's it. Delaying the unpack phase is a bigger step.
The above also seems different in that triggers are mostly about
aggregating similar tasks (update-menus for foo, update-menus for bar)
so they can all be run at once, substantially quicker. That doesn't seem
to be the case for SELinux policies either, which I presume would get
lost in the noise of unpacking anyway.
> I'll be happy to call it a pre-install hook.
That sounds sensible.
I wonder if it'd be possible to setup an SELinux policy so that dpkg is
only able to unpack files that are already known about by SELinux -- at
least that way you'd get an error on unpack, with dpkg's usual bail-out
attempts, rather than a possible hole introduced into your system.
Cheers,
aj
Attachment:
signature.asc
Description: Digital signature