Attention: Proprietary video driver users (ATI, Nvidia, etc.)

[Ivan Gyurdiev]

> Correction.. non-crackrock rpms would not create a problem.  You can
> do an amazing amount of damage via postinstall scripts inside
> packages. It wouldn't be all that difficult to create an nvidia rpm
> that dropped the nvidia installer on the system and then ran the
> installer via postinstall script. In fact I'm pretty sure I've seen
> that sort of beast in the wild at some point.  If your security is so
> tight that postinstall actions during rpm packages would generally
> fail when tampering with other package's files.. then you break lots
> of postinstall actions.
>   
I think rpm scripts already run within rpm_script_t domain which is 
confined on strict policy.
Not sure how extensive the confinement is (I don't think it's very 
extensive).

What kind of scripts legitimately need to tamper with other packages' 
files? Examples?