[Rpm-maint] First attempt for the patch on extending the plugin interface for rpm

Stephen Smalley sds at tycho.nsa.gov
Tue Oct 16 16:51:43 UTC 2012


On Tue, 2012-10-16 at 16:31 +0000, Reshetova, Elena wrote:
> >The script setup hook is fairly obvious too, just forgot to mention it.
> >The one question with that is (again) the argument(s) it receives:
> >currently its ARGV_t, but does it actually need the entire argv or would just 
> >the actual executable path suffice for the setup?
> 
> I am fine with just the path, but looking to SELinux code, the rpm_execcon() 
> func needs the whole argv struct.
> 
> @ Stephen, do you know how mandatory for SELinux is to have the whole argv 
> struct? Is it just because of rpm_execcon() API or?

It is because presently rpm_execcon() performs the exec call.  If the
exec call is handled by the caller, then we only need the executable
path.  Likewise with envp; we do not need it if the caller performs the
exec.  We would just move the remaining logic to set up the exec context
from libselinux rpm_execcon() into the rpm selinux plugin code; as rpm
is the only user of it, there is no real reason for it to live in
libselinux vs being part of an rpm plugin.

-- 
Stephen Smalley
National Security Agency



More information about the Rpm-maint mailing list