From: pebenito@ieee.org (Chris PeBenito) Date: Sun, 19 Feb 2017 14:44:23 -0500 Subject: [refpolicy] [PATCH] dpkg related patches In-Reply-To: <201702191318.20528.russell@coker.com.au> References: <20170214064140.n6mlaf5ouruizi7i@athena.coker.com.au> <201702161334.47987.russell@coker.com.au> <201702191318.20528.russell@coker.com.au> Message-ID: <1578a24c-a17f-6eca-0e0c-592c1d5f7af4@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/18/17 21:18, Russell Coker wrote: > On Sun, 19 Feb 2017 12:10:50 AM Chris PeBenito wrote: >>> Most Debian packages ship with scripts that are run before or after >>> installation or removal. They are to run as dpkg_script_t. >> >> Wouldn't dpkg_script_exec_t or dpkg_helper_exec_t make more sense? > > The same directory also contains non-executable data files that are read by > other domains (such as user_t). > > We could have labelling based on file extensions (like .postinst), but do we > really benefit from having yet another type? If that's the case, then no. -- Chris PeBenito