From: sds@tycho.nsa.gov (Stephen Smalley) Date: Fri, 10 Jan 2014 12:37:08 -0500 Subject: [refpolicy] Transition unconfined users to dpkg_t domain In-Reply-To: <20140110182732.3c6f298a@soldur.bigon.be> References: <20140107132919.5779c6c0@soldur.bigon.be> <20140107181207.13f8826d@soldur.bigon.be> <20140109132449.783398e6@soldur.bigon.be> <1389275208.14773.43.camel@x220.localdomain> <20140109165738.77a1d0a8@soldur.bigon.be> <1389283972.15747.21.camel@x220.localdomain> <20140109171932.2c48b131@soldur.bigon.be> <1389285402.15747.31.camel@x220.localdomain> <52CF05E6.7070904@redhat.com> <52CF0743.4050305@tycho.nsa.gov> <20140110124748.3d3bac9c@soldur.bigon.be> <52D008E5.2010400@tycho.nsa.gov> <20140110182732.3c6f298a@soldur.bigon.be> Message-ID: <52D02FC4.7030109@tycho.nsa.gov> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 01/10/2014 12:27 PM, Laurent Bigonville wrote: > Le Fri, 10 Jan 2014 09:51:17 -0500, > Stephen Smalley a ?crit : > >> On 01/10/2014 06:47 AM, Laurent Bigonville wrote: >>> Le Thu, 09 Jan 2014 15:32:03 -0500, >>> Stephen Smalley a ?crit : >>> >>>> On 01/09/2014 03:26 PM, Daniel J Walsh wrote: >>>>> >>>>> It has been like that for years. Might have been a chicken and >>>>> egg problem on initial install. RPM Now has better flexibility. >>>> >>>> bootstrapping issue - needed to know the right domain prior to any >>>> policy files being installed on the filesystem. >>> >>> Does that means that rpm and dpkg are supposed to work even if the >>> files in /etc/selinux/ are missing? >>> >>> With dpkg (that use the rpm_execcon-like function) I'm getting the >>> following error in that case: >>> cannot get security labeling handle: No such file or directory >> >> I think they always set down a pre-generated file_contexts file just >> for that purpose, but otherwise weren't guaranteed any other config >> files. But that was all the original rpm selinux integration; I don't >> know the current state of things. > > Thanks. > > About my initial issue with dpkg exiting if it cannot transition to > "dpkg_script_t" from unconfined users. How do you think this should be > solved? People doesn't like the transition of unconfined domains to > confined ones (I agree with this), so you think this should be fixed in > the code (setexecfilecon() or dpkg) or this could achieved in an other > way in the policy? What's wrong with transitioning from unconfined to confined? Going from more-privileged to less-privileged is the common (and safe) case, e.g. init -> daemon, login -> user, etc. It is confined -> unconfined transitions that are unsafe.