Stephen Smalley wrote:
On Thu, 2004-08-26 at 09:44, Stephen Smalley wrote:
On Thu, 2004-08-26 at 05:37, Jeff Johnson wrote:
Malicious code from untrusted package problem not going to be solved by rpm_script_t alone afaict either.Right. We still need a mechanism for distinguishing among packages and
running scriptlets in different domains based on either some property of
the package (the authority that signed it) or some knowledge of the
admin (i.e. he specifies the desired scriptlet domain for all packages
obtained from a given repository in his yum.conf or similar).
Not to mention needing different domains for rpm itself in such
scenarios...
There are a slew of issues beyond the mechanics of exec'ing a helper to establish a new
domain for rpm to run in.
The open questions that I have are:
a) Can untrusted and trusted data be stored in the same file?
b) Can trusted packages depend on untrusted? How?
c) How to preserve the existing rpmlib API while re-execing a helper that will require
non-trivial amounts of state to be reconstructed?
"trust" defined however selinux wishes of course.
Probably easier to write an installer from scratch for selinux purposes than it will be to
try to adapt the existing rpm code base is my current opinion.
73 de Jeff
