From: pebenito@ieee.org (Chris PeBenito)
Date: Sun, 19 Feb 2017 14:44:23 -0500
Subject: [refpolicy] [PATCH] dpkg related patches
In-Reply-To: <201702191318.20528.russell@coker.com.au>
References: <20170214064140.n6mlaf5ouruizi7i@athena.coker.com.au>
	<201702161334.47987.russell@coker.com.au>
	<bc7f8789-f3e2-a638-fdbe-646f944d376f@ieee.org>
	<201702191318.20528.russell@coker.com.au>
Message-ID: <1578a24c-a17f-6eca-0e0c-592c1d5f7af4@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 02/18/17 21:18, Russell Coker wrote:
> On Sun, 19 Feb 2017 12:10:50 AM Chris PeBenito wrote:
>>> Most Debian packages ship with scripts that are run before or after
>>> installation or removal.  They are to run as dpkg_script_t.
>>
>> Wouldn't dpkg_script_exec_t or dpkg_helper_exec_t make more sense?
>
> The same directory also contains non-executable data files that are read by
> other domains (such as user_t).
>
> We could have labelling based on file extensions (like .postinst), but do we
> really benefit from having yet another type?

If that's the case, then no.

-- 
Chris PeBenito