On Wed, 31 Mar 2004 17:42, Aleksey Nogin <aleksey(a)nogin.org&gt; wrote: By design sysadm_r can do everything, including disabling SE Linux. So being able to get rpm_t is no problem. In future we will provide an option to have a secadm_r role to perform security administration and a sysadm_r role that can only be used for basic sysadm tasks. Such a mode of operation will conflict with the --pipe command for rpm. When we implement that we will have to do something about the --pipe command, either disable it or have it cause a domain transition back to the calling domain. Another thing that will need to be done is to have multiple contexts for running rpm for different package signatures. This will probably require having the current rpm functionality split into two executables. This means that one can be used for parsing the command line, checking the signature, and running the --pipe operation. The other could do the real work. These are just some wild ideas. Hopefully Jeff will be available to give some better ones. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page

On 31.03.2004 01:37, Paul Nasrat wrote: I am guessing that the "internal" trusted executable could be called from rpmlib and be the one doing all the stuff that requires special permissions and this way it would not matter what "front end" (rpm/apt/yum/up2date/etc) is used. I have no idea whether the current rpmlib API would support something like this, so I could be wrong. -- Aleksey Nogin Home Page: http://nogin.org/ E-Mail: nogin(a)cs.caltech.edu (office), aleksey(a)nogin.org (personal) Office: Jorgensen 70, tel: (626) 395-2907