[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Installing new policy?

From: Russell Coker <russell coker com au>
To: fedora-selinux-list redhat com
Cc: Paul Nasrat <pauln truemesh com>, jbj redhat com
Subject: Re: Installing new policy?
Date: Tue, 9 Mar 2004 03:21:34 +1100

On Tue, 9 Mar 2004 03:06, Paul Nasrat <pauln truemesh com> wrote:
> On Mon, Mar 08, 2004 at 11:07:43AM -0500, Bill Nottingham wrote:
> > Tom Mitchell (mitch48 sbcglobal net) said:
> > > If I understand this...
> > >
> > > In development cycles having the "current" best practice policy does
> > > make sense for some,  but not outside the context of "default policy
> > > development".
> >
> > Yes, but if you're pushing new policy that actually fixes bugs
> > (think post-release here), you'd want that automatically installed
> > on upgrade.
>
> I believe Jeff was working on this, however the hooks would have to be in
> rpm I imagine as you probably don't want rpm_script_t having write access
> to policy_src_t right?

At the moment rpm_script_t has access to so much that there's no point in 
trying to impose any serious restriction on it.

I suspect that limiting rpm_script_t in any significant way will have to wait 
until we have multiple domains for rpm for installing packages with different 
signatures.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Follow-Ups:
- Re: Installing new policy?
  - From: Tom Mitchell

References:
- Installing new policy?
  - From: Jeffrey C. Ollie
- Re: Installing new policy?
  - From: Bill Nottingham
- Re: Installing new policy?
  - From: Paul Nasrat

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]