Bug#685992: /usr/sbin/update-flashplugin-nonfree: Please restore selinux context after installing files
Let's not compare init scripts with dpkg scripts. The issue at hand here is that dpkg, and dpkg scripts do not install files with the correct context. As a Fedora user, i am not very familiar with dpkg, but i can tell you that rpm, and the rpm script mechanism are SELinux aware. They use the matchpathcon(), and setfscreatecon() libselinux functions to query what the security contexts of a to be installed object should be, and to install objects with the security contexts returned by matchpathcon() using setfscreatecon() or similar libselinux functions. For inspiration, i would suggest one studies the SELinux commits in the rpm repository. If dpkg cannot, because it uses a different mechanism for dpkg script than rpm does for rpm scripts, deal with those scripts in a similar way then a other solution should be thought of. For example create a hook that gets called in dpkg scripts if it is determined that SElinux is enabled on the target system that runs restoreon. The idea is that policy defines/maintains a list with file context specifications, restorecon and matchpathcon commands query hat list to determine what a specified location should be labeled. Restorecon additionally resets the context of a specified location according to what is specified system wide in the file context specifications. So its a one, or two step procedure: prefered (not racy) (see libselinux: http://selinuxproject.org/page/LibselinuxAPISummary ) matchpathcon() object: determine what a specified object should be labeled by querying the system wide file context specifications define by security policy, and or admin setfscreatecon() object (see man setfscreatecon): create the specified object with the context that was returned by the matchpathcon() function. alternate (racy): use the restorecon/setfiles object commands to reset the context of a specified object to what is specified system wide in the file context specifications define by policy, and admin I would suggest one takes a good look at how rpm deals with this, and apply their solution where applicable, because rpm has been doing this for quite a while and so we can imagine that they have learned a lot and adjusted to the optimal way of going things. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#685992: /usr/sbin/update-flashplugin-nonfree: Please restore selinux context after installing files
On Thu, 2013-10-10 at 12:13 +0200, Dominick Grift wrote: Let's not compare init scripts with dpkg scripts. The issue at hand here is that dpkg, and dpkg scripts do not install files with the correct context. So far as I can tell, that's very much _not_ the issue at hand. This bug is precisely about files created outside of the packaging system, not by it. init scripts are a common creator of such files (e.g. state in /run) but scripts downloading files from external locations are another; for example, see the bug marked as being blocked by this one. On a related note, dpkg script is not a term generally used within Debian. Are you referring to what we'd call maintainer scripts? (Pre/post removal/installation scripts.) As a Fedora user, i am not very familiar with dpkg, That much is clear. :-) but i can tell you that rpm, and the rpm script mechanism are SELinux aware. A quick grep of dpkg's source code will demonstrate that this is also the case for dpkg. A small bit of archaeology leads to 2005-06-11 Manoj Srivastava sriva...@debian.org * lib/star.c (ExtractFile, SetModes): If dpkg is compiled with SELinux, test once whether SELinux is enabled on the system. If it is enabled, find out the security context of the file from its path and either set what we think it should be or let the default security context for the process be applied. Regards, Adam -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#685992: /usr/sbin/update-flashplugin-nonfree: Please restore selinux context after installing files
On Thu, 2013-10-10 at 20:05 +0100, Adam D. Barratt wrote: On a related note, dpkg script is not a term generally used within Debian. Are you referring to what we'd call maintainer scripts? (Pre/post removal/installation scripts.) Yes i think that is what this is about. If i understand correctly, files installed/created by the scripts end up mislabeled. But truth be told, i might be wrong. I just see a bunch of mislabeled files when a package gets installed. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#685992: [Fwd: Re: Bug#685992: /usr/sbin/update-flashplugin-nonfree: Please restore selinux context after installing files]
Seems this this was not sent to the bugzilla Forwarded Message From: Dominick Grift dominick.gr...@gmail.com To: Adam D. Barratt a...@adam-barratt.org.uk Cc: 685...@bugs.debian.org Subject: Re: Bug#685992: /usr/sbin/update-flashplugin-nonfree: Please restore selinux context after installing files Date: Thu, 10 Oct 2013 21:32:05 +0200 On Thu, 2013-10-10 at 20:05 +0100, Adam D. Barratt wrote: On a related note, dpkg script is not a term generally used within Debian. Are you referring to what we'd call maintainer scripts? (Pre/post removal/installation scripts.) Yes i think that is what this is about. If i understand correctly, files installed/created by the scripts end up mislabeled. But truth be told, i might be wrong. I just see a bunch of mislabeled files when a package gets installed. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org