prelink and yum conflict
Jeff Johnson
n3npq at nc.rr.com
Tue Oct 12 15:01:27 UTC 2004
Stephen Smalley wrote:
>Sounds reasonable. libselinux would presumably fetch the context of the
>interpreter/helper via getfilecon(), then call security_compute_create()
>to see if there is a default transition defined for the
>interpreter/helper, and if not, then explicitly setexeccon() to
>rpm_script_t. Might want to also pass the result of the signature
>verify as a further input in selecting the desired domain.
>
Do you want just result or do you want {plaintext,signature,pubkey} triple?
I suppose a simple container struct with both could be arranged,
something like
struct {
int verifiedreturncode; /* 0 == OK, 1 == notfound(unused), 2 ==
verifyfail, 3 == nottrusted 4 == nokey */
byte * plaintext;
size_t plaintextlen;
enum pktencodingtype /* OpenPGP, X.509, whatever */
byte * signature;
size_t signaturelen
byte * pubkey;
size_t pubkeylen;
};
starts to permit reasonably paranoid libselinux extensions into the land
of signature verification.
Yes, there are a slew of issues involving algorithms and parsing and
more that selinux perhaps
does not want to bite into quite yet.
73 de Jeff
More information about the selinux
mailing list