On Mon, 2006-05-01 at 17:13 -0500, Klaus Weidner wrote: > Can the RPM pre/postinstall scripts currently do absolutely anything?
In terms of both SE Linux and Unix functionality the answer is yes. The only thing that may be impossible is for a pre/post script to install another RPM package. > That would be an unpleasant loophole, but I don't know an easy way to > fix that without potentially breaking RPM. There has been some discussion about having different classes of RPM. Signed RPMs (from Red Hat and also from other trusted organizations) would be installed in the current manner. Unsigned RPMs and RPMs signed by unknown signatures would be installed in a different context, they would have different file types for files that are installed (eg untrusted_bin_t etc) and certain domains would not be permitted to execute such files. The untrusted types would be in the same category as the home types in terms of restorecon not touching them. Untrusted rpms installed in such a manner would probably not be permitted to run pre/post scripts, or if they were then the scripts would be very limited. -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
