The horror of providing full SELinux support out of the box are install scripts.

Installing files of a package is rather easy. Install them, relabel them. This can be added to the package manager. (And I believe dpkg already does that).

However, package install scripts are becoming more and more complex, and they aren’t SELinux aware. And there is a lot of stuff that can go wrong here.

For example, a package might want to generate a configuration file for the service you just installed. If this configuration file is to have the same context as the directory containing the configuration file, there won’t be a problem - but if it’s to have a different context, the generated file will be incorrectly labeled.

I see two basic solutions to this:

  • require by policy all package install scripts to register all files they created (and the registration application could then take care of the appropriate file labeling) - but this will take a long time to be adopted by all packages
  • monitor package install scripts for file creation, and relabel them automatically. However, many install scripts will also start the service the package contains; monitoring shouldn’t extend to them, so I doubt this will actually work, and still problems might arise to delays in relabeling

Any other smart solution for these problems?

Sometimes I wish we could do without turing-complete postinst scripts…