Am 05.11.2015 um 13:14 schrieb Carlos E. R.:
On 2015-11-05 11:42, Johannes Meixner wrote:
This raises a subsequent issue:
I assume it is too complicated (or simply impossible) to have an AppArmor profile for rpm so that rpm cannot change already existing files in other packages.
Therefore "updating" third party RPMs with this profile active whould have to be done by first removing the installed third party RPM and then installing the new version of the third party RPM from scratch.
Different approach idea: install the rpm and somehow list or catch any written or changed file outside of those listed by "rpm -ql ..."
Is that possible?
Yes. By using the audit subsystem. You can log which process changes which files, then check if it is a child of RPM (you don't want to wade through everything else that's going on on a busy file server while installing Flash Player on it ;-P), and if it is, log everything that's change. Then, after rpm is finished installing, use this log and compare it to what the package actually claims to have done. Combine this with a snapper snapshot before and after the installation and it should be possible to restore things to a working order afterwards. Or maybe with some help of a kernel driver, we could even intercept all the calls that a certain process does (in this case rpm and its children) and create a backup of every file that is touched by the installation (this is not possible AFAIK by just using audit, because audit only *notifies* you of changes, but there is no way to intercept the calls, so once you are notified, the file is already modified, too late to back up).
I know it is possible to catch the changes with something like the seccheck scripts that run off cron, but it is heavy processing and would find also changes not done by this install.
Exactly. And you would not know who had done the changes. -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org