Correction.. non-crackrock rpms would not create a problem. You can
do an amazing amount of damage via postinstall scripts inside
packages. It wouldn't be all that difficult to create an nvidia rpm
that dropped the nvidia installer on the system and then ran the
installer via postinstall script. In fact I'm pretty sure I've seen
that sort of beast in the wild at some point. If your security is so
tight that postinstall actions during rpm packages would generally
fail when tampering with other package's files.. then you break lots
of postinstall actions.
I think rpm scripts already run within rpm_script_t domain which is
confined on strict policy.
Not sure how extensive the confinement is (I don't think it's very
extensive).
What kind of scripts legitimately need to tamper with other packages'
files? Examples?
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
