From: dwalsh@redhat.com (Daniel J Walsh) Date: Thu, 09 Jan 2014 15:26:14 -0500 Subject: [refpolicy] Transition unconfined users to dpkg_t domain In-Reply-To: <1389285402.15747.31.camel@x220.localdomain> References: <20140107132919.5779c6c0@soldur.bigon.be> <20140107181207.13f8826d@soldur.bigon.be> <20140109132449.783398e6@soldur.bigon.be> <1389275208.14773.43.camel@x220.localdomain> <20140109165738.77a1d0a8@soldur.bigon.be> <1389283972.15747.21.camel@x220.localdomain> <20140109171932.2c48b131@soldur.bigon.be> <1389285402.15747.31.camel@x220.localdomain> Message-ID: <52CF05E6.7070904@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/09/2014 11:36 AM, Dominick Grift wrote: > On Thu, 2014-01-09 at 17:19 +0100, Laurent Bigonville wrote: > >> >> Actually it's the same code as rpm currently uses. >> >> It looks at the fcontext of the script then uses secure_compute_create to >> see if a transition would occures. If it's the case it will make it >> transition to that context, otherwise it's indeed using a hardcoded >> context. > > hard-coding configurable security identifiers is bad practice. I would not > look too much to Fedora. > > In /etc/selinux there are config files that tell selinux aware programs > what context to use in what situations. Programs should consult those > config files, then use that information to determine whether to transition > or not, and where to. > > Disclaimer: thats just my opinion > > _______________________________________________ refpolicy mailing list > refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy > It has been like that for years. Might have been a chicken and egg problem on initial install. RPM Now has better flexibility. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLPBeYACgkQrlYvE4MpobNlQQCfd1lT5xOndQlckBk6oEbz+/4d 4xwAn0JG5l7PPIa/CENn7/rae3daGSvl =Y3Al -----END PGP SIGNATURE-----