On Mon, 2004-08-23 at 12:56, Jeff Johnson wrote:
> Yes, rpm_script_t is applied only for /bin/sh, not for other helpers
> like /sbin/ldconfig, and
> /usr/sbin/{glibc,libgcc}_post_upgrade, to name the other known helpers.
>
> I can certainly change that behavior, and have asked several times if I
> should, with no answer.
I think it should change. For now, I'd say just use rpm_script_t for
all commands executed from the scriptlets specified in the spec file,
whether run via an interpreter or as a direct executable. Note that on
the policy side, the domain_trans(rpm_t, shell_exec_t, rpm_script_t)
rule should be changed to include any of the possible entrypoint types.
However, it should work even without that change in the Fedora policy,
because the unlimitedRPM tunable is enabled by default.
--
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency
