RPM

Running scripts with specific credentials

Registered by Jeff Johnson

MeeGo will have a security framework that will heavily leverage SMACK and
IMA/EVM. When packages are installed, we need to be able to set SMACK
labels, calculate/verify/set the digsigsum's and run scripts with specific
credentials. I know that the plugin will not support all we need with
respect to this. For example, there is no plugin support for getting
called right after a file has been extracted which would seem to be the
optimal time (from a security perspective) to handle the digsigsum and
SMACK label. Also, running installation scripts with separate credentials
can't be done from the plugin. RPM does support doing both of these
things for SELinux, but the functionality to do that resides outside of
the plugin in older code. I would actually love to see some of this
functionality that was created for SELinux in other parts of the RPM code
base migrate into the plugin so that others can utilize the functionality,
but I also understand the limited scope of the plugin as it currently
exists.

Blueprint information

Status:
Not started
Approver:
Jeff Johnson
Priority:
Low
Drafter:
None
Direction:
Approved
Assignee:
Jeff Johnson
Definition:
Discussion
Series goal:
None
Implementation:
Deferred
Milestone target:
milestone icon 5.3.6

Related branches

Sprints

Whiteboard

MeeGo -> Tizen, and the current patches/proposal is here:
    http://lists.rpm.org/pipermail/rpm-maint/2011-December/003135.html

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.