Bug ID 1208004
Summary Make %post script SELinux aware
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Basesystem
Assignee max@suse.com
Reporter jsegitz@suse.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

In ntp.spec
324 if [ ! -f $KEYSFILE ]; then
325   FILE=$(mktemp -p /etc)
326   chmod 0640 $FILE
327   chown root:ntp $FILE
328   mv $FILE $KEYSFILE
329 fi

this will cause issues with SELinux. Please use mv -Z so the label is set
correctly.

While the current state of this post script is safe the frequent use of chmod
and the like is worrisome. You need to make sure that future changes never
allow unprivileged users additional control (e.g. operating in a user owned
directory). 

A way to reduce the attack surface could be to move this to a packaged script
and then run it only once to fix/convert existing installations

You are receiving this mail because: