Dependency hell
Panu Matilainen
pmatilai at welho.com
Sun Apr 11 17:12:17 UTC 2004
On Sun, 11 Apr 2004, Russell Coker wrote:
> On Tue, 6 Apr 2004 05:43, Panu Matilainen <pmatilai at welho.com> wrote:
> > In the long run apt should probably run in it's own domain with suitable
> > restrictions on the methods etc... but this all raises the question:
> > How are 3rd party packages supposed to ship their own policy settings in
> > a sane manner?
>
> I've added rpm_exec_t entries for the apt programs in my tree.
>
> If we are going to have apt as a recommended program or if we have some setup
> with yum or up2date whereby one program gets the files and another does the
> install (similar to the apt-get/dpkg) then we could write policy to
> support/enforce that distinction.
Note that apt-rpm by default doesn't use external rpm binary to do the
installation anymore, it uses rpmlib for the job (but can be reverted to
the old behavior with a config option). So in that mode it requires all
the rights rpm itself has.
The other parts like download, uncompress etc which run as separate
processes could well be restricted much more and I'm in fact planning to
write such a policy for apt just (if only to teach myself selinux).
>
> However I expect apt to be phased out, so it's probably not worth doing.
I don't see it going away anytime soon.
- Panu -
More information about the fedora-devel-list
mailing list