[refpolicy] [PATCH] Allow unconfined users to transition to dpkg_t domain

Christopher J. PeBenito cpebenito at tresys.com
Mon Jan 27 13:20:26 EST 2014


On 01/11/14 09:23, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon at bigon.be>
> 
> dpkg is now using rpm_execcon()/setexecfilecon()-like function to
> transition to the dpkg_script_t domain. This function will fail in
> enforcing mode if the transition is not allowed.
> ---
>  policy/modules/system/unconfined.te | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
> index 667f2a0..c22d964 100644
> --- a/policy/modules/system/unconfined.te
> +++ b/policy/modules/system/unconfined.te
> @@ -76,6 +76,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	dpkg_run(unconfined_t, unconfined_r)
> +')
> +
> +optional_policy(`
>  	firstboot_run(unconfined_t, unconfined_r)
>  ')

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com


More information about the refpolicy mailing list