On Feb 6, 2010, at 11:56 AM, Tomasz Pala wrote:

> On Sat, Feb 06, 2010 at 12:04:07 +0100, Zbyniu Krzystolik wrote:
> 
>>> Anyone knows if it is or is going to be possible in rpm to store xattrs?
>> 
>> Not possible now.
> 
> And how about The Other RPM? This is a must-be feature and sooner or
> later we must get rid of broken by design SUID/SGID...
> 

You must mean rpm-5.0 as the "other rpm" ;-)

Yes. rpm.org has a defined tag for capabilities, and perhaps for
ACL's (of the linux persuasuoin, how to package ACl'l portably
for *BSD and MacOSX is a nastier but solvable issue).

When I looked at porting support for capabilities & ACL's, this
reasoning mad me reluctant:

        There are > 300K files in a typical rpm distro.

        Out of that 300K files, perhaps 100-500 files would
        benefit (afaik) from adding support for capabilities/ACL's.

        Adding an additional per-file tag to benefit 500 of 300,000
        files, with the additional download bandwidth needed to
        represent missing/unused info doesn't make much sense.

        Making the tag "optional", present iff explicitly added,
        while doable, creates a different sort of "missing" or "optional"
        problem.

But if you want capabilities/ACL's ported to rpm-4.5, I can do that in
an afternoon if you wish.


>> My note may be interested for you (pl); libcap-ng utils can simplify it.
>> http://zz.iapt.pl/bez_root2.txt
> 
> That's similar to thing I want to do. The difference is you drop
> capabilities, and I want to set some for regular users (either
> designated - for daemons having it's own files and secrets, or nobody
> for anything else, using start-stop-daemon --chuid). Like this:
> 
> setcap cap_net_bind_service=ei =nc
> execcap cap_net_bind_service=i su - gotar -c 'nc -l -p 34'
> 
> but this obviously requires tagging binaries. The problem is tracking
> all the xattrs (caps and ACLs).
> 

Yes, tracking *all* the file paths is exactly the same as SElinux
xattr's. Note that SELinux currently doesn't trust its means to "track"
the xattrs across *all* file paths suufficiently that they have chosen
to "package" SELinuc modular policy with

        Any SElinux attr that is installed is never removed.

Similar issues will be seen with capabilities/ACL's tracked across
*all* file paths in addition to the bloat I mentioned.

No matter what:
There's nothing stopping you from the applying capabilities/ACL's
in %post, and removing same (if necessary) in %postun and verifying
that indeed the correct capabilities/ACL's are applied using %verifyscript.

hth

73 de Jeff
_______________________________________________
pld-devel-en mailing list
pld-devel-en@lists.pld-linux.org
http://lists.pld-linux.org/mailman/listinfo/pld-devel-en

Reply via email to