[refpolicy] Transition unconfined users to dpkg_t domain

Dominick Grift dominick.grift at gmail.com
Thu Jan 9 11:36:42 EST 2014


On Thu, 2014-01-09 at 17:19 +0100, Laurent Bigonville wrote:

> 
> Actually it's the same code as rpm currently uses.
> 
> It looks at the fcontext of the script then uses secure_compute_create
> to see if a transition would occures. If it's the case it will make it
> transition to that context, otherwise it's indeed using a hardcoded
> context.

hard-coding configurable security identifiers is bad practice. I would
not look too much to Fedora.

In /etc/selinux there are config files that tell selinux aware programs
what context to use in what situations. Programs should consult those
config files, then use that information to determine whether to
transition or not, and where to.

Disclaimer: thats just my opinion 



More information about the refpolicy mailing list