Installing new policy?
Russell Coker
russell at coker.com.au
Mon Mar 8 16:21:34 UTC 2004
On Tue, 9 Mar 2004 03:06, Paul Nasrat <pauln at truemesh.com> wrote:
> On Mon, Mar 08, 2004 at 11:07:43AM -0500, Bill Nottingham wrote:
> > Tom Mitchell (mitch48 at sbcglobal.net) said:
> > > If I understand this...
> > >
> > > In development cycles having the "current" best practice policy does
> > > make sense for some, but not outside the context of "default policy
> > > development".
> >
> > Yes, but if you're pushing new policy that actually fixes bugs
> > (think post-release here), you'd want that automatically installed
> > on upgrade.
>
> I believe Jeff was working on this, however the hooks would have to be in
> rpm I imagine as you probably don't want rpm_script_t having write access
> to policy_src_t right?
At the moment rpm_script_t has access to so much that there's no point in
trying to impose any serious restriction on it.
I suspect that limiting rpm_script_t in any significant way will have to wait
until we have multiple domains for rpm for installing packages with different
signatures.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-selinux-list
mailing list