[refpolicy] [PATCH] Allow unconfined users to transition to dpkg_t domain

Laurent Bigonville bigon at debian.org
Sat Jan 25 05:54:36 EST 2014


Hi,

Le Sat, 11 Jan 2014 15:23:22 +0100,
Laurent Bigonville <bigon at debian.org> a écrit :

> From: Laurent Bigonville <bigon at bigon.be>
> 
> dpkg is now using rpm_execcon()/setexecfilecon()-like function to
> transition to the dpkg_script_t domain. This function will fail in
> enforcing mode if the transition is not allowed.
> ---
>  policy/modules/system/unconfined.te | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/policy/modules/system/unconfined.te
> b/policy/modules/system/unconfined.te index 667f2a0..c22d964 100644
> --- a/policy/modules/system/unconfined.te
> +++ b/policy/modules/system/unconfined.te
> @@ -76,6 +76,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	dpkg_run(unconfined_t, unconfined_r)
> +')
> +
> +optional_policy(`
>  	firstboot_run(unconfined_t, unconfined_r)
>  ')
>  

Is there any plans to merge this patch then? (*ping*)

Cheers,

Laurent Bigonville


More information about the refpolicy mailing list