From: russell@coker.com.au (Russell Coker) Date: Sun, 19 Feb 2017 13:18:20 +1100 Subject: [refpolicy] [PATCH] dpkg related patches In-Reply-To: References: <20170214064140.n6mlaf5ouruizi7i@athena.coker.com.au> <201702161334.47987.russell@coker.com.au> Message-ID: <201702191318.20528.russell@coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sun, 19 Feb 2017 12:10:50 AM Chris PeBenito wrote: > > Most Debian packages ship with scripts that are run before or after > > installation or removal. They are to run as dpkg_script_t. > > Wouldn't dpkg_script_exec_t or dpkg_helper_exec_t make more sense? The same directory also contains non-executable data files that are read by other domains (such as user_t). We could have labelling based on file extensions (like .postinst), but do we really benefit from having yet another type? -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/