From: russell@coker.com.au (Russell Coker)
Date: Sun, 19 Feb 2017 13:18:20 +1100
Subject: [refpolicy] [PATCH] dpkg related patches
In-Reply-To: <bc7f8789-f3e2-a638-fdbe-646f944d376f@ieee.org>
References: <20170214064140.n6mlaf5ouruizi7i@athena.coker.com.au>
	<201702161334.47987.russell@coker.com.au>
	<bc7f8789-f3e2-a638-fdbe-646f944d376f@ieee.org>
Message-ID: <201702191318.20528.russell@coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sun, 19 Feb 2017 12:10:50 AM Chris PeBenito wrote:
> > Most Debian packages ship with scripts that are run before or after
> > installation or removal.  They are to run as dpkg_script_t.
> 
> Wouldn't dpkg_script_exec_t or dpkg_helper_exec_t make more sense?

The same directory also contains non-executable data files that are read by 
other domains (such as user_t).

We could have labelling based on file extensions (like .postinst), but do we 
really benefit from having yet another type?

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/