From: sds@tycho.nsa.gov (Stephen Smalley)
Date: Fri, 10 Jan 2014 14:58:43 -0500
Subject: [refpolicy] Transition unconfined users to dpkg_t domain
In-Reply-To: <1389379945.20258.33.camel@x220.localdomain>
References: <20140109165738.77a1d0a8@soldur.bigon.be>	
	<1389283972.15747.21.camel@x220.localdomain>	
	<20140109171932.2c48b131@soldur.bigon.be>	
	<1389285402.15747.31.camel@x220.localdomain>
	<52CF05E6.7070904@redhat.com>	 <52CF0743.4050305@tycho.nsa.gov>
	<20140110124748.3d3bac9c@soldur.bigon.be>	
	<52D008E5.2010400@tycho.nsa.gov>
	<20140110182732.3c6f298a@soldur.bigon.be>	
	<52D02FC4.7030109@tycho.nsa.gov> <20140110183906.GA4510@siphos.be>	
	<52D03E91.1000600@tycho.nsa.gov>
	<1389379945.20258.33.camel@x220.localdomain>
Message-ID: <52D050F3.2040608@tycho.nsa.gov>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 01/10/2014 01:52 PM, Dominick Grift wrote:
> On Fri, 2014-01-10 at 13:40 -0500, Stephen Smalley wrote:
> 
>>
>> Ok, I don't agree.  That way lies madness - a never-ending set of
>> changes to userspace programs to re-implement everything already
>> provided transparently through policy domain transitions and file type
>> transitions.
>>
> 
> Not sure if i am choosing my words right here but rpm_t, rpm_script_t
> domains are a fallacy in the first place:
> 
> # seinfo -xaunconfined_domain_type | grep rpm
>       rpm_t
>       rpm_script_t

That's true.  There was an original vision of confining rpm, decomposing
it, etc, that never got past the prototype stage.