[refpolicy] Transition unconfined users to dpkg_t domain
dominick.grift at gmail.com
Thu Jan 9 11:36:42 EST 2014
On Thu, 2014-01-09 at 17:19 +0100, Laurent Bigonville wrote:
> Actually it's the same code as rpm currently uses.
> It looks at the fcontext of the script then uses secure_compute_create
> to see if a transition would occures. If it's the case it will make it
> transition to that context, otherwise it's indeed using a hardcoded
hard-coding configurable security identifiers is bad practice. I would
not look too much to Fedora.
In /etc/selinux there are config files that tell selinux aware programs
what context to use in what situations. Programs should consult those
config files, then use that information to determine whether to
transition or not, and where to.
Disclaimer: thats just my opinion
More information about the refpolicy