[refpolicy] Transition unconfined users to dpkg_t domain

Daniel J Walsh dwalsh at redhat.com
Thu Jan 9 15:26:14 EST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/09/2014 11:36 AM, Dominick Grift wrote:
> On Thu, 2014-01-09 at 17:19 +0100, Laurent Bigonville wrote:
> 
>> 
>> Actually it's the same code as rpm currently uses.
>> 
>> It looks at the fcontext of the script then uses secure_compute_create to
>> see if a transition would occures. If it's the case it will make it 
>> transition to that context, otherwise it's indeed using a hardcoded 
>> context.
> 
> hard-coding configurable security identifiers is bad practice. I would not
> look too much to Fedora.
> 
> In /etc/selinux there are config files that tell selinux aware programs 
> what context to use in what situations. Programs should consult those 
> config files, then use that information to determine whether to transition
> or not, and where to.
> 
> Disclaimer: thats just my opinion
> 
> _______________________________________________ refpolicy mailing list 
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
> 
It has been like that for years.  Might have been a chicken and egg problem on
initial install.  RPM Now has better flexibility.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLPBeYACgkQrlYvE4MpobNlQQCfd1lT5xOndQlckBk6oEbz+/4d
4xwAn0JG5l7PPIa/CENn7/rae3daGSvl
=Y3Al
-----END PGP SIGNATURE-----


More information about the refpolicy mailing list