On Thursday 06 March 2008 03:24, Erich Schubert <erich@debian.org> wrote:
> Back when I did the initial apt_t policy, I was considering to setup
> domains such as apt_script_t and run the package installation scripts in
> this domain. This would have been similar to the rpm_script_t domain.

I don't believe that it is possible to gain any security benefit from splitting dpkg_t, apt_t, and a domain for the scripts.

If apt decides that a certain package is to be installed then dpkg will not object, therefore granting apt less privileges than dpkg will not give any real benefit.

Pre/post install/remove scripts in Debian packages may do almost anything - and often do. Any restrictions on what such scripts may do will break large numbers of packages. Unless we can get changes to Debian policy relating to what such scripts may do (which seems quite unlikely) then we have to allow writing to almost all files in the system.

> The amount of things done in postinst scripts is one of the things that
> really scares me from a security point of view. It might be very
> valuable to use a tight SELinux policy to restrict these scripts,
> however when it comes down to having a SELinux policy package update it
> becomes a Catch-22 somewhat.
> It would definitely help to have separate apt_t and apt_script_t
> domains, though, to be able to differentiate access for installation
> scripts and the package manager itself.

What meaningful restrictions can be applied to one but not the other?

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.