[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Triggers status?

On Sun, Oct 21, 2007 at 11:30:08PM -0500, Manoj Srivastava wrote:
> On Mon, 22 Oct 2007 07:01:33 +1000, Anthony Towns wrote:
>         This is because the default is to deny by default -- and thus
>  security policy modules _add_ the permissions for special tasks that
>  packages need to do.  Lacking security policy does not mean you have a
>  security hole -- 

Oh, well in that case you only need it to happen before the postinst, not
before the preinst. That's much closer to something triggers could do --
for instance, if you hacked libc6 to be interested in a file trigger for /,
then anytime you installed an arch:any package, you'd have:

	libc6 installed, foo-any uninstalled
foo-any unpack
	libc6 trigger-await, foo-any unpacked
libc6.postinst triggered /
	libc6 installed, foo-any unpacked
foo-any.postinst configure
	libc6 installed, foo-any installed

The foo-any Depends: libc6 relationship is required for that ordering
to be guaranteed, afaics though. Generalising that to some sort of
"Ensure-Always-Configured: yes" header that the selinux-policy package
could use might be feasible though.

(All of the above assumes my understanding of triggers is accurate;
I haven't looked at the code)


Attachment: signature.asc
Description: Digital signature

Reply to: