Russell Coker <russell@xxxxxxxxxxxx> writes: > On Sunday, 6 January 2019 6:04:14 AM AEDT Chris PeBenito wrote: >> > Index: refpolicy-2.20180701/policy/modules/admin/apt.fc >> > =================================================================== >> > --- refpolicy-2.20180701.orig/policy/modules/admin/apt.fc >> > +++ refpolicy-2.20180701/policy/modules/admin/apt.fc >> > @@ -1,9 +1,12 @@ >> > /etc/cron\.daily/apt -- >> > gen_context(system_u:object_r:apt_exec_t,s0) >> > >> > -ifndef(`distro_redhat',` >> > +/usr/bin/apt -- >> > gen_context(system_u:object_r:apt_exec_t,s0) /usr/bin/apt-get -- >> > gen_context(system_u:object_r:apt_exec_t,s0) -/usr/bin/apt-shell >> > -- gen_context(system_u:object_r:apt_exec_t,s0) /usr/bin/aptitude >> > -- gen_context(system_u:object_r:apt_exec_t,s0) >> > +/usr/sbin/update-apt-xapian-index -- >> > gen_context(system_u:object_r:apt_exec_t,s0) + >> > +ifndef(`distro_redhat',` >> > +/usr/bin/apt-shell -- >> > gen_context(system_u:object_r:apt_exec_t,s0) /usr/sbin/synaptic -- >> > gen_context(system_u:object_r:apt_exec_t,s0) >> > /usr/lib/packagekit/packagekitd -- >> > gen_context(system_u:object_r:apt_exec_t,s0) /var/cache/PackageKit(/.*)? >> > gen_context(system_u:object_r:apt_var_cache_t,s0) >> I modified some of these changes, as it results in file context >> conflicts with the RPM module. More accurately, I removed the fc >> entries in RPM that label the apt executables. I moved the apt-shell >> back out of the ifndef block. >> >> I think the synaptic and packagekit fc entries, which are in both apt >> and rpm modules, may need to be dropped and move to the distro's >> patches. Either that, or this ifndef needs to turn into ifdef debian >> (or something else). >> >> Otherwise merged. > > I agree that things should be reconsidered with apt policy. > > Do we even need separate apt and rpm policy given that both package managers > have access to write everything and change config files? AFAIK, apt can probably just be part of the rpm domain. Heck even dpkg can be. The only thing , i think, that in that case should be taken care of is to make a typealias rpm_script_t dpkg_script_t because dpkg has selinux awareness and wants to manually transition to dpkg_script_t to execute the scriptlets -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
