From: dominick.grift@gmail.com (Dominick Grift) Date: Fri, 10 Jan 2014 20:19:26 +0100 Subject: [refpolicy] Transition unconfined users to dpkg_t domain In-Reply-To: <20140110184638.GA4709@siphos.be> References: <20140109171932.2c48b131@soldur.bigon.be> <1389285402.15747.31.camel@x220.localdomain> <52CF05E6.7070904@redhat.com> <52CF0743.4050305@tycho.nsa.gov> <20140110124748.3d3bac9c@soldur.bigon.be> <52D008E5.2010400@tycho.nsa.gov> <20140110182732.3c6f298a@soldur.bigon.be> <52D02FC4.7030109@tycho.nsa.gov> <20140110183906.GA4510@siphos.be> <52D03E91.1000600@tycho.nsa.gov> <20140110184638.GA4709@siphos.be> Message-ID: <1389381566.20258.43.camel@x220.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 2014-01-10 at 19:46 +0100, Sven Vermeulen wrote: > The set of changes you're referring to is not never-ending, and they're > currently definitely not transparent. I agree, Whether you transition to RPM domain or not, The files will still be created with the right context because RPM uses libselinux for that regardless. There is no reason to domain transition to rpm_t/rpm_script_t because that domain is as unconfined as unconfined_t. But even if RPM did not use libselinux and we would depend on file/domain transition rules i would still not transition to RPM domain because unconfined_t is supposed to be able to manage the whole system via RPM or any other route. So the madness of the never ending story of adding file transition rules for unconfined_t applies regardless of whether you transition to RPM or not. I also agree with your transparency comment. I would not call programs (having to) hard-code types transparent.