glibc post upgrade
Stephen Smalley
sds at epoch.ncsc.mil
Mon Aug 23 17:21:16 UTC 2004
On Mon, 2004-08-23 at 12:56, Jeff Johnson wrote:
> Yes, rpm_script_t is applied only for /bin/sh, not for other helpers
> like /sbin/ldconfig, and
> /usr/sbin/{glibc,libgcc}_post_upgrade, to name the other known helpers.
>
> I can certainly change that behavior, and have asked several times if I
> should, with no answer.
I think it should change. For now, I'd say just use rpm_script_t for
all commands executed from the scriptlets specified in the spec file,
whether run via an interpreter or as a direct executable. Note that on
the policy side, the domain_trans(rpm_t, shell_exec_t, rpm_script_t)
rule should be changed to include any of the possible entrypoint types.
However, it should work even without that change in the Fedora policy,
because the unlimitedRPM tunable is enabled by default.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the selinux
mailing list