This is an automated email from the git hooks/post-receive script. guillem pushed a commit to branch master in repository dpkg.
View the commit online: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=0c84e3473bf7765565ddb07cebfab09d28a94582 commit 0c84e3473bf7765565ddb07cebfab09d28a94582 Author: Guillem Jover <guil...@debian.org> AuthorDate: Sat Feb 23 04:39:37 2019 +0100 dpkg: Add new option --refuse-security-mac to control SELinux This new option works in both dpkg and dpkg-statoverride. And dpkg will pass it to its children, which means dpkg-statoverride called from a maintainer script will automatically pick it up. Ref: #811037 --- debian/changelog | 2 ++ man/dpkg-statoverride.man | 5 +++++ man/dpkg.man | 5 +++++ src/force.c | 5 +++++ src/force.h | 1 + src/selinux.c | 3 ++- src/statcmd.c | 2 +- 7 files changed, 21 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index 75325fbc4..8134a20a5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -15,6 +15,8 @@ dpkg (1.19.5) UNRELEASED; urgency=medium * dpkg-statoverride: Switch from --force option to new --force-<thing> options. Deprecate --force option which will be considered an alias for --force-all for now. + * dpkg, dpkg-statoverride: Add new option --refuse-security-mac to control + SELinux. See #811037. * Documentation: - start-stop-daemon(1): Document behavior of --pidfile security checks. Closes: #921557 diff --git a/man/dpkg-statoverride.man b/man/dpkg-statoverride.man index 8b235097e..f8a21b7ba 100644 --- a/man/dpkg-statoverride.man +++ b/man/dpkg-statoverride.man @@ -108,6 +108,11 @@ Overwrite an existing stat override when adding it (since dpkg 1.19.5). \fBstatoverride\-remove\fP: Ignore a missing stat override when removing it (since dpkg 1.19.5). + +\fBsecurity\-mac\fP(*): +Use platform-specific Mandatory Access Controls (MAC) based security when +installing files into the filesystem (since dpkg 1.19.5). +On Linux systems the implementation uses SELinux. .TP .B \-\-force Force an action, even if a sanity check would otherwise prohibit it. diff --git a/man/dpkg.man b/man/dpkg.man index 3f1637a10..43e039ae8 100644 --- a/man/dpkg.man +++ b/man/dpkg.man @@ -624,6 +624,11 @@ Overwrite an existing stat override when adding it (since dpkg 1.19.5). \fBstatoverride\-remove\fP: Ignore a missing stat override when removing it (since dpkg 1.19.5). +\fBsecurity\-mac\fP(*): +Use platform-specific Mandatory Access Controls (MAC) based security when +installing files into the filesystem (since dpkg 1.19.5). +On Linux systems the implementation uses SELinux. + \fBunsafe\-io\fP: Do not perform safe I/O operations when unpacking (since dpkg 1.15.8.6). Currently this diff --git a/src/force.c b/src/force.c index a341b5bbb..5fa19ee1c 100644 --- a/src/force.c +++ b/src/force.c @@ -73,6 +73,11 @@ static const struct forceinfo { FORCETYPE_DAMAGE, N_("Set all force options"), }, { + "security-mac", + FORCE_SECURITY_MAC, + FORCETYPE_ENABLED, + N_("Use MAC based security if available"), + }, { "downgrade", FORCE_DOWNGRADE, FORCETYPE_ENABLED, diff --git a/src/force.h b/src/force.h index 05b2b34e9..986e7fa81 100644 --- a/src/force.h +++ b/src/force.h @@ -52,6 +52,7 @@ enum force_flags { FORCE_UNSAFE_IO = DPKG_BIT(23), FORCE_STATOVERRIDE_ADD = DPKG_BIT(24), FORCE_STATOVERRIDE_DEL = DPKG_BIT(25), + FORCE_SECURITY_MAC = DPKG_BIT(26), FORCE_ALL = 0xffffffff, }; diff --git a/src/selinux.c b/src/selinux.c index 91256b752..2218bd2ed 100644 --- a/src/selinux.c +++ b/src/selinux.c @@ -53,7 +53,8 @@ dpkg_selabel_load(void) int rc; /* Set selinux_enabled if it is not already set (singleton). */ - selinux_enabled = (is_selinux_enabled() > 0); + selinux_enabled = (in_force(FORCE_SECURITY_MAC) && + is_selinux_enabled() > 0); if (!selinux_enabled) return; diff --git a/src/statcmd.c b/src/statcmd.c index 2220b82d4..33a426abb 100644 --- a/src/statcmd.c +++ b/src/statcmd.c @@ -104,7 +104,7 @@ usage(const struct cmdinfo *cip, const char *value) } #define FORCE_STATCMD_MASK \ - FORCE_STATOVERRIDE_ADD | FORCE_STATOVERRIDE_DEL + FORCE_SECURITY_MAC | FORCE_STATOVERRIDE_ADD | FORCE_STATOVERRIDE_DEL static const char *admindir; const char *instdir; -- Dpkg.Org's dpkg
