From: pebenito@ieee.org (Chris PeBenito) Date: Sat, 18 Feb 2017 08:10:50 -0500 Subject: [refpolicy] [PATCH] dpkg related patches In-Reply-To: <201702161334.47987.russell@coker.com.au> References: <20170214064140.n6mlaf5ouruizi7i@athena.coker.com.au> <6c6cbb82-985e-6e0a-d6e1-e28ea82886b7@ieee.org> <201702161334.47987.russell@coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/15/17 21:34, Russell Coker wrote: > On Thu, 16 Feb 2017 11:08:13 AM Chris PeBenito wrote: >>> +spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t) >>> +domain_entry_file(dpkg_script_t, dpkg_var_lib_t) >> >> What are these files? I don't know dpkg, but this seems odd. > > # ls -l /var/lib/dpkg/info/|grep rwx|head > -rwxr-xr-x. 1 root root 614 Nov 27 08:28 accountsservice.postrm > -rwxr-xr-x. 1 root root 184 Feb 7 2016 acl.postinst > -rwxr-xr-x. 1 root root 165 Feb 7 2016 acl.postrm > -rwxr-xr-x. 1 root root 2718 Sep 20 20:14 acpid.postinst > -rwxr-xr-x. 1 root root 1614 Sep 20 20:14 acpid.postrm > -rwxr-xr-x. 1 root root 1338 Sep 20 20:14 acpid.preinst > -rwxr-xr-x. 1 root root 382 Sep 20 20:14 acpid.prerm > -rwxr-xr-x. 1 root root 956 Sep 25 2015 acpi-fakekey.postinst > -rwxr-xr-x. 1 root root 781 Sep 25 2015 acpi-fakekey.postrm > -rwxr-xr-x. 1 root root 179 Sep 25 2015 acpi-fakekey.prerm > > Most Debian packages ship with scripts that are run before or after > installation or removal. They are to run as dpkg_script_t. Wouldn't dpkg_script_exec_t or dpkg_helper_exec_t make more sense? -- Chris PeBenito