From: dominick.grift@gmail.com (Dominick Grift) Date: Thu, 09 Jan 2014 17:12:52 +0100 Subject: [refpolicy] Transition unconfined users to dpkg_t domain In-Reply-To: <20140109165738.77a1d0a8@soldur.bigon.be> References: <20140107132919.5779c6c0@soldur.bigon.be> <20140107181207.13f8826d@soldur.bigon.be> <20140109132449.783398e6@soldur.bigon.be> <1389275208.14773.43.camel@x220.localdomain> <20140109165738.77a1d0a8@soldur.bigon.be> Message-ID: <1389283972.15747.21.camel@x220.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 2014-01-09 at 16:57 +0100, Laurent Bigonville wrote: > rpm (and now dpkg since 1.17) are explicitly trying to run the > maintainer scripts in a specific domain (see > rpm_execcon()/setexecfilecon()). > > So this means that an unconfined user trying to run dpkg in enforce > mode will get an error (my laptop is running in permissive so I didn't > saw that before) as context_type_set() will fail. > > An idea how to fix this? Nope, but i think this should be at least configurable. Heck, how does dpkg know what type to use with setexeccon? Is that hard-coded? Is there some configuration file somewhere that it reads that tells it what type to use? if so then maybe you can also use that to tell it when to use it and when not?