Re: Possible issues with dpkg SELinux support
On Thu, Nov 8, 2012 at 3:26 AM, Guillem Jover <guillem@debian.org> wrote:
> Hi!
>
> I've had on my TODO for some time to clear out some doubts about the
> current dpkg SELinux support (which preceded my time), to be able to
> fix some possible issues with it, and because I've never actually used
> a SELinux enabled system and my knowledge about it is mostly
> superficial. So here goes:
>
> An error from the lsetfilecon_raw() call in [0] does not currently
> end up in the installation process aborting (just an error message
> printed out), I think this is wrong as I noted with the XXX there,
> but I'd like your input on this, in case it actually needs to proceed
> anyway. Otherwise I'd guess at least ENOTSUP should be ignored.
>
> [0] <http://anonscm.debian.org/gitweb/?p=dpkg/dpkg.git;a=blob;f=src/archives.c;h=4e363474607bd916813ce772b1e5c4c7359a76fc;hb=HEAD#l479>
>
> And when invoking package maintainer scripts, dpkg does not set a
> new execution context, like rpm does with rpm_execcon(), and while
> skimming over the SELinux policy related to dpkg it seemed like
> dpkg would need to do so.
>
> I'd be fixing those, if needed, for dpkg 1.17.x.
Agree that lsetfilecon failure other than EOPNOTSUPP should abort
package installation if SELinux is enabled. Note that matchpathcon
and friends are deprecated interfaces; consider converting to
selabel_open and friends instead, as has already been done in rpm.
Some mechanism to allow package scriptlets to run in a different
context than the package manager would be helpful, but rpm_execcon()
may not be a very good example. The Tizen folks have been working on
a more general architecture for rpm security plugins that may be
relevant/helpful as a guide, see prior discussions on selinux list and
rpm-maint.
Reply to: