LinuxLists.cc - [refpolicy] [PATCH] Allow unconfined users to transition to dpkg

2014-01-11 14:23:22

Subject: [refpolicy] [PATCH] Allow unconfined users to transition to dpkg_t domain

From: Laurent Bigonville <[email protected]>

dpkg is now using rpm_execcon()/setexecfilecon()-like function to
transition to the dpkg_script_t domain. This function will fail in
enforcing mode if the transition is not allowed.
---
policy/modules/system/unconfined.te | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 667f2a0..c22d964 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -76,6 +76,10 @@ optional_policy(`
')

optional_policy(`
+ dpkg_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
firstboot_run(unconfined_t, unconfined_r)
')

--
1.8.5.2

2014-01-25 10:54:36

by Laurent Bigonville

[permalink] [raw]

Subject: [refpolicy] [PATCH] Allow unconfined users to transition to dpkg_t domain

Hi,

Le Sat, 11 Jan 2014 15:23:22 +0100,
Laurent Bigonville <[email protected]> a ?crit :

> From: Laurent Bigonville <[email protected]>
>
> dpkg is now using rpm_execcon()/setexecfilecon()-like function to
> transition to the dpkg_script_t domain. This function will fail in
> enforcing mode if the transition is not allowed.
> ---
> policy/modules/system/unconfined.te | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/policy/modules/system/unconfined.te
> b/policy/modules/system/unconfined.te index 667f2a0..c22d964 100644
> --- a/policy/modules/system/unconfined.te
> +++ b/policy/modules/system/unconfined.te
> @@ -76,6 +76,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + dpkg_run(unconfined_t, unconfined_r)
> +')
> +
> +optional_policy(`
> firstboot_run(unconfined_t, unconfined_r)
> ')
>

Is there any plans to merge this patch then? (*ping*)

Cheers,

Laurent Bigonville

2014-01-27 18:20:26

by cpebenito

[permalink] [raw]

Subject: [refpolicy] [PATCH] Allow unconfined users to transition to dpkg_t domain

On 01/11/14 09:23, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> dpkg is now using rpm_execcon()/setexecfilecon()-like function to
> transition to the dpkg_script_t domain. This function will fail in
> enforcing mode if the transition is not allowed.
> ---
> policy/modules/system/unconfined.te | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
> index 667f2a0..c22d964 100644
> --- a/policy/modules/system/unconfined.te
> +++ b/policy/modules/system/unconfined.te
> @@ -76,6 +76,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + dpkg_run(unconfined_t, unconfined_r)
> +')
> +
> +optional_policy(`
> firstboot_run(unconfined_t, unconfined_r)
> ')

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com