[Rpm-maint] [PATCH RFC] Package script(let)s SELinux execution context

Eric Paris eparis at parisplace.org
Mon Dec 3 17:15:23 UTC 2012 

Anyone have any comments?  I don't see a problem if such a function
would make your life better...

On Tue, Nov 20, 2012 at 10:27 AM, Guillem Jover <guillem at debian.org> wrote:
> Hi!
>
> Some context for the rpm folks. While looking into improving SELinux
> support in dpkg, I noticed that dpkg is not setting a new execution
> context when running the package maintainer scripts (package scriptlets
> in rpm lingo, I think). And when checking how to implement it, it seemed
> that reusing something like the current rpm_execcon() would be best,
> and Stephen seemed to agree. For more details, see the thread starting
> at <http://marc.info/?t=135236358700001&r=1&w=2>.
>
> Having checked the rpm code, and the mailing list, it seems like this
> new function would make it easy to be used there too for stuff like
> the Lua scriptlets (if desired), and might make it easier also to
> switch to the new rpm plugins framework (?).
>
> I've discarded the verified argument for the new function because that
> seemed best handled from the rpm side, and in any case seemed unrelated
> to the execution context. I'm not entirely convinced about the function
> name though, as it could be confused as applying a context to a path on
> the filesystem. And I've not marked rpm_execcon() as deprecated because
> it might be annoying at the beginning, but would change that if you think
> it makes sense.
>
> In any case, here's a patch adding such new function. For dpkg, given
> that it has never set a new context up to now, I'd only make use of the
> function if it's available in libselinux, as I don't think it's worth it
> to ship an embedded copy. For rpm, I guess it could switch to use the
> function also if available and fallback to rpm_execcon() otherwise. After
> a while the rpm_execcon() function could be removed from libselinux, on
> the next ABI break, as I understand was the plan anyway (?).
>
> (The patch might not apply w/o the man page cleanup series.)
>
> So, what do you think?
>
> Thanks,
> Guillem
>
> Guillem Jover (1):
>   libselinux: Refactor rpm_execcon into a new setexecfilecon()
>
>  libselinux/Makefile                        |  3 +++
>  libselinux/include/selinux/selinux.h       |  4 ++++
>  libselinux/man/man3/getexeccon.3           | 23 ++++++++++++++++++++---
>  libselinux/src/Makefile                    |  3 ---
>  libselinux/src/{rpm.c => setexecfilecon.c} | 27 ++++++++++++++++++++-------
>  5 files changed, 47 insertions(+), 13 deletions(-)
>  rename libselinux/src/{rpm.c => setexecfilecon.c} (71%)
>
> --
> 1.8.0
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo at tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.

More information about the Rpm-maint mailing list