[DSE-Dev] refpolicy: domains need access to the apt's pty and fifos

[Russell Coker]

On Thursday 06 March 2008 03:24, Erich Schubert <erich at debian.org> wrote:
> Back when I did the initial apt_t policy, I was considering to setup
> domains such as apt_script_t and run the package installation scripts in
> this domain. This would have been similar to the rpm_script_t domain.

I don't believe that it is possible to gain any security benefit from 
splitting dpkg_t, apt_t, and a domain for the scripts.

If apt decides that a certain package is to be installed then dpkg will not 
object, therefore granting apt less privileges than dpkg will not give any 
real benefit.

Pre/post install/remove scripts in Debian packages may do almost anything - 
and often do.  Any restrictions on what such scripts may do will break large 
numbers of packages.  Unless we can get changes to Debian policy relating to 
what such scripts may do (which seems quite unlikely) then we have to allow 
writing to almost all files in the system.

> The amount of things done in postinst scripts is one of the things that
> really scares me from a security point of view. It might be very
> valuable to use a tight SELinux policy to restrict these scripts,
> however when it comes down to having a SELinux policy package update it
> becomes a Catch-22 somewhat.
> It would definitely help to have separate apt_t and apt_script_t
> domains, though, to be able to differentiate access for installation
> scripts and the package manager itself.

What meaningful restrictions can be applied to one but not the other?

-- 
russell at coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development