[refpolicy] Transition unconfined users to dpkg_t domain

Dominick Grift dominick.grift at gmail.com
Thu Jan 9 08:46:48 EST 2014


On Thu, 2014-01-09 at 13:24 +0100, Laurent Bigonville wrote:
> Resending to the ML as the CC was lost.
> 
> Le Tue, 7 Jan 2014 18:12:07 +0100,
> Laurent Bigonville <bigon at debian.org> a écrit :
> 
> > Le Tue, 7 Jan 2014 16:09:25 +0100,
> > Sven Vermeulen <sven.vermeulen at siphos.be> a écrit :
> > 
> > > I think in general, unconfined should remain unconfined (i.e.
> > > can_exec but no domtrans). Easier to keep as a principle.
> > > 

I agree, if it was not for MLS requirements i would probably do the same
for sysadm_t

Would have been even nicer IMHO if we could get rid of those package
manager domains in general. unfortunately i do not think that is
feasible since unprivileged users sometimes are also able to use the
package managers to install files via setuid/setgid frontends.

The other compelling reasons for those domains sometimes do not apply
anymore. Like file transitions ( we have named file transitions now ),
role transitions (no need for role transitions with systemd).





More information about the refpolicy mailing list