From: bigon@debian.org (Laurent Bigonville) Date: Thu, 9 Jan 2014 16:57:38 +0100 Subject: [refpolicy] Transition unconfined users to dpkg_t domain In-Reply-To: <1389275208.14773.43.camel@x220.localdomain> References: <20140107132919.5779c6c0@soldur.bigon.be> <20140107181207.13f8826d@soldur.bigon.be> <20140109132449.783398e6@soldur.bigon.be> <1389275208.14773.43.camel@x220.localdomain> Message-ID: <20140109165738.77a1d0a8@soldur.bigon.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Le Thu, 09 Jan 2014 14:46:48 +0100, Dominick Grift a ?crit : > On Thu, 2014-01-09 at 13:24 +0100, Laurent Bigonville wrote: > > Resending to the ML as the CC was lost. > > > > Le Tue, 7 Jan 2014 18:12:07 +0100, > > Laurent Bigonville a ?crit : > > > > > Le Tue, 7 Jan 2014 16:09:25 +0100, > > > Sven Vermeulen a ?crit : > > > > > > > I think in general, unconfined should remain unconfined (i.e. > > > > can_exec but no domtrans). Easier to keep as a principle. > > > > > > I agree, if it was not for MLS requirements i would probably do the > same for sysadm_t > > Would have been even nicer IMHO if we could get rid of those package > manager domains in general. unfortunately i do not think that is > feasible since unprivileged users sometimes are also able to use the > package managers to install files via setuid/setgid frontends. rpm (and now dpkg since 1.17) are explicitly trying to run the maintainer scripts in a specific domain (see rpm_execcon()/setexecfilecon()). So this means that an unconfined user trying to run dpkg in enforce mode will get an error (my laptop is running in permissive so I didn't saw that before) as context_type_set() will fail. An idea how to fix this? Cheers, Laurent Bigonville