Bug ID | 1208004 |
---|---|
Summary | Make %post script SELinux aware |
Classification | openSUSE |
Product | openSUSE Tumbleweed |
Version | Current |
Hardware | Other |
OS | Other |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | Basesystem |
Assignee | max@suse.com |
Reporter | jsegitz@suse.com |
QA Contact | qa-bugs@suse.de |
Found By | --- |
Blocker | --- |
In ntp.spec 324 if [ ! -f $KEYSFILE ]; then 325 FILE=$(mktemp -p /etc) 326 chmod 0640 $FILE 327 chown root:ntp $FILE 328 mv $FILE $KEYSFILE 329 fi this will cause issues with SELinux. Please use mv -Z so the label is set correctly. While the current state of this post script is safe the frequent use of chmod and the like is worrisome. You need to make sure that future changes never allow unprivileged users additional control (e.g. operating in a user owned directory). A way to reduce the attack surface could be to move this to a packaged script and then run it only once to fix/convert existing installations