From: bigon@debian.org (Laurent Bigonville) Date: Thu, 9 Jan 2014 17:19:32 +0100 Subject: [refpolicy] Transition unconfined users to dpkg_t domain In-Reply-To: <1389283972.15747.21.camel@x220.localdomain> References: <20140107132919.5779c6c0@soldur.bigon.be> <20140107181207.13f8826d@soldur.bigon.be> <20140109132449.783398e6@soldur.bigon.be> <1389275208.14773.43.camel@x220.localdomain> <20140109165738.77a1d0a8@soldur.bigon.be> <1389283972.15747.21.camel@x220.localdomain> Message-ID: <20140109171932.2c48b131@soldur.bigon.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Le Thu, 09 Jan 2014 17:12:52 +0100, Dominick Grift a ?crit : > On Thu, 2014-01-09 at 16:57 +0100, Laurent Bigonville wrote: > > > rpm (and now dpkg since 1.17) are explicitly trying to run the > > maintainer scripts in a specific domain (see > > rpm_execcon()/setexecfilecon()). > > > > So this means that an unconfined user trying to run dpkg in enforce > > mode will get an error (my laptop is running in permissive so I > > didn't saw that before) as context_type_set() will fail. > > > > An idea how to fix this? > > Nope, but i think this should be at least configurable. Heck, how does > dpkg know what type to use with setexeccon? Is that hard-coded? Is > there some configuration file somewhere that it reads that tells it > what type to use? if so then maybe you can also use that to tell it > when to use it and when not? Actually it's the same code as rpm currently uses. It looks at the fcontext of the script then uses secure_compute_create to see if a transition would occures. If it's the case it will make it transition to that context, otherwise it's indeed using a hardcoded context.