On Fri, 12 Mar 2004 00:56, Jeff Johnson <n3npq@xxxxxxxxx> wrote: > Adding --noscripts --notriggers automagically to each package not signed > with > trusted signature is an alternative that starts to avoid a lot of > selinux pain. And, > since very few 3rd party add-on packages are essential to system > integrity, ther > are few consequences running the scripts after that fact in an entirely > different > domain of execution. As a future development I was thinking of having untrusted_bin_t and untrusted_etc_t and other similar types for files in such packages. Then we could allow the scripts unrestricted access to those files but read-only access to other files. It's just an idea that will need a lot of testing. But it could allow us to have a package that wants to run some scripts to mangle it's own config files work well without modifications. > There are still issues with trojan'ed files in payload, forcing chmod -x > or chmod 000 > might start to limit damage. That depends on how we want to do it. We could just have an executable type untrusted_bin_t which prevents execution by sysadm_t, or something similar. Some input from customers regarding what they want might be good. > So it's the logical connection that leads from > rpm_script_t has too much access > to > rpm needs multiple domains based on signature > that I am seeking. selinux is not the only way to limit damage if you > catch my drift. True. But I am thinking about SE Linux. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
