On Sun, 11 Apr 2004, Russell Coker wrote: > On Tue, 6 Apr 2004 05:43, Panu Matilainen <pmatilai@xxxxxxxxx> wrote: > > In the long run apt should probably run in it's own domain with suitable > > restrictions on the methods etc... but this all raises the question: > > How are 3rd party packages supposed to ship their own policy settings in > > a sane manner? > > I've added rpm_exec_t entries for the apt programs in my tree. > > If we are going to have apt as a recommended program or if we have some setup > with yum or up2date whereby one program gets the files and another does the > install (similar to the apt-get/dpkg) then we could write policy to > support/enforce that distinction. Note that apt-rpm by default doesn't use external rpm binary to do the installation anymore, it uses rpmlib for the job (but can be reverted to the old behavior with a config option). So in that mode it requires all the rights rpm itself has. The other parts like download, uncompress etc which run as separate processes could well be restricted much more and I'm in fact planning to write such a policy for apt just (if only to teach myself selinux). > > However I expect apt to be phased out, so it's probably not worth doing. I don't see it going away anytime soon. - Panu -
