On Mon, 28 Jan 2002 00:16:00 +1100, Russell Coker said: > On Sat, 26 Jan 2002 14:17, Valdis.Kletnieksat_private wrote: > > Try that with an NTP RPM, and let me know how well it works when the LSM > > you have loaded refuses to allow the process to set the system clock. ;) > > There are only two problems with that: > > 1) There has been no chsid/relabel operation done after the files were put > in place to give them the correct security settings. > 2) The standard RPM package of NTP undoubtably doesn't use run_init. > > For Debian we are currently discussing ways of solving 1. One suggestion > that can be immidiately supported is to unpack a package, search it's file > list and match it on /etc/flask/file_contexts, and apply SIDs appropriates. > Then continue with the package configuration. I could possibly even divert > dpkg to a wrapper which does this. However, this implies that you've *already* told your LSM package about NTP. If it's a *new* package, you won't have entries in /etc/flask. You also won't be able to use the /etc/flask data if you are using some other LSM that doesn't speak flask. > These things are solvable! The statement as originally made: "You can just build the RPM on a non-LSM machine and it will Just Work" is *not* solvable. There seem to be 2,004 RPMs on the RedHat Rawhide. *Every Single One* was built on a non-LSM machine. How many will roll over and die if run on a system that has an LSM of some sort running that restricts what processes can/cannot do? And handwaving about "just put it in /etc/flask" is just that - handwaving. Even if you go through and create flask entries for all those RPMs that need them, you will *still* have to go back and add new entries when somebody releases Foo-Gronk 0.9.5. /Valdis
This archive was generated by hypermail 2b30 : Mon Jan 28 2002 - 11:17:25 PST