[refpolicy] Transition unconfined users to dpkg_t domain

Stephen Smalley sds at tycho.nsa.gov
Thu Jan 9 15:32:03 EST 2014


On 01/09/2014 03:26 PM, Daniel J Walsh wrote:
> On 01/09/2014 11:36 AM, Dominick Grift wrote:
>> On Thu, 2014-01-09 at 17:19 +0100, Laurent Bigonville wrote:
> 
>>>
>>> Actually it's the same code as rpm currently uses.
>>>
>>> It looks at the fcontext of the script then uses secure_compute_create to
>>> see if a transition would occures. If it's the case it will make it 
>>> transition to that context, otherwise it's indeed using a hardcoded 
>>> context.
> 
>> hard-coding configurable security identifiers is bad practice. I would not
>> look too much to Fedora.
> 
>> In /etc/selinux there are config files that tell selinux aware programs 
>> what context to use in what situations. Programs should consult those 
>> config files, then use that information to determine whether to transition
>> or not, and where to.
> 
>> Disclaimer: thats just my opinion
> 
>> _______________________________________________ refpolicy mailing list 
>> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
> 
> It has been like that for years.  Might have been a chicken and egg problem on
> initial install.  RPM Now has better flexibility.

bootstrapping issue - needed to know the right domain prior to any
policy files being installed on the filesystem.



More information about the refpolicy mailing list