On Sun, Oct 21, 2007 at 11:30:08PM -0500, Manoj Srivastava wrote: > On Mon, 22 Oct 2007 07:01:33 +1000, Anthony Towns wrote: > This is because the default is to deny by default -- and thus > security policy modules _add_ the permissions for special tasks that > packages need to do. Lacking security policy does not mean you have a > security hole --
Oh, well in that case you only need it to happen before the postinst, not before the preinst. That's much closer to something triggers could do -- for instance, if you hacked libc6 to be interested in a file trigger for /, then anytime you installed an arch:any package, you'd have: libc6 installed, foo-any uninstalled foo-any unpack libc6 trigger-await, foo-any unpacked libc6.postinst triggered / libc6 installed, foo-any unpacked foo-any.postinst configure libc6 installed, foo-any installed The foo-any Depends: libc6 relationship is required for that ordering to be guaranteed, afaics though. Generalising that to some sort of "Ensure-Always-Configured: yes" header that the selinux-policy package could use might be feasible though. (All of the above assumes my understanding of triggers is accurate; I haven't looked at the code) Cheers, aj
signature.asc
Description: Digital signature