From: guido@trentalancia.com (Guido Trentalancia)
Date: Wed, 27 Jun 2012 18:59:59 +0200
Subject: [refpolicy] [PATCH v2]: fix packagekit file context (standard
 location for the daemon)
In-Reply-To: <1340739947.12652.7.camel@x220.mydomain.internal>
References: <1340207771.3570.11.camel@vortex>
	<1340240971.2940.2.camel@vortex> <4FE9BCD9.7010307@tresys.com>
	<1340718653.12652.1.camel@x220.mydomain.internal>
	<4FE9C1CB.4060804@tresys.com> <1340739584.2840.2.camel@vortex>
	<1340739947.12652.7.camel@x220.mydomain.internal>
Message-ID: <1340816399.3001.8.camel@vortex>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello again.

On Tue, 2012-06-26 at 21:45 +0200, Dominick Grift wrote:
> On Tue, 2012-06-26 at 21:39 +0200, Guido Trentalancia wrote:
> 
> > 
> > Backward-compatibility should only be considered if it can coexist with
> > compatibility with recent versions.
> 
> It can coexist.

Needless to say, if both lines coexist without a conditional expression
on the version (not supported at the moment), in the absence of any hash
verification (should fit well as an optional last field in a future
version of the file-contexts definitions), an hijacked copy of
policykitd installed in the other location would be able to run with the
same permissions as the trusted packagekitd without the user noticing
anything.

> > > Right.  I've restored the line.

Least but not last, it probably was just a bug, as since version 0.1.0
through 0.7.4, they all install by default in sbindir (which defaults
to /usr/sbin).

> > See above.

Regards,

Guido