Re: dpkg and selinux

[Russell Coker <russell@coker.com.au>]

On Wed, 1 Sep 2004 23:30, Scott James Remnant <scott@netsplit.com> wrote:
> It's an interesting one, certainly I'd suggest the right solution would
> be to do such commands in postinst until such time as it was the default
> and the tar format could carry this information.  It would then become
> policy that it would be carried inside the tar file, just as chmod/
> chgrp/chown are carried today.

The problem with that idea is that there are many possible policies.  Fedora 
currently has two significantly different policies which require different 
file labels on disk.  Storing the data in the package for such things is not 
going to work (and would require that all DDs have some SE Linux files 
installed on their systems).

The right solution is to apply the regex set at install time.

> The thing that worries me about this file is that it contains policy for
> things I don't have installed on my system; and doesn't seem to cope
> well with differing policy for (e.g.) two binaries called 'ssh' which
> may have different requirements.

Only one binary can have the full path /usr/bin/ssh which is what matters.

> However I'm loath to embed specific selinux support into dpkg if it
> introduces extra dependencies, or causes problems for those not using
> it.

Getting it to work in Debian should not be difficult.  Having a shared object 
interface to make the SE Linux library a plug-in and thus support RSBAC etc 
also shouldn't be too difficult.

> > i think only stephen, russell, dan or colin are in a position to
> > answer that.
>
> Sadly they've stopped answering my calls <g>

No, I've just been busy recently.  I've got about 1600 messages to catch up on 
at the moment...

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.