Hello Russel, > > It would definitely help to have separate apt_t and apt_script_t > > domains, though, to be able to differentiate access for installation > > scripts and the package manager itself. > What meaningful restrictions can be applied to one but not the other? I agree with you that we would currently have to allow pretty much any access by apt_script_t, unfortunately. Sorry for mixing up apt and dpkg again in that post btw, yes, it sould be dpkg_t and dpkg_script_t, obviously. No, I can't really think of ways to restrict dpkg_script_t apart from not messing with the dpkg_t state files. Maybe we could make some policy that /usr is to be modified by dpkg_t only whereas dynamically generated files have to reside in /var, but I doubt this would currently hold. And after all, dpkg_script_t needs to be able to even add users to /etc/passwd (although through the helper applications, not directly). best regards, Erich Schubert -- erich@(vitavonni.de|debian.org) -- GPG Key ID: 4B3A135C (o_ The early bird gets the worm, but the second mouse gets the cheese. //\ Ein Freund ist ein Geschenk, das man sich selbst macht. V_/_ -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.