From: russell@coker.com.au (Russell Coker)
Date: Sun, 12 Jan 2014 11:59:03 +1100
Subject: [refpolicy] Transition unconfined users to dpkg_t domain
In-Reply-To: <1389381566.20258.43.camel@x220.localdomain>
References: <20140109171932.2c48b131@soldur.bigon.be>
	<20140110184638.GA4709@siphos.be>
	<1389381566.20258.43.camel@x220.localdomain>
Message-ID: <10071582.tSbv3mLmCQ@russell.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, 10 Jan 2014 20:19:26 Dominick Grift wrote:
> > The set of changes you're referring to is not never-ending, and they're
> > currently definitely not transparent.
> 
> I agree, Whether you transition to RPM domain or not, The files will
> still be created with the right context because RPM uses libselinux for
> that regardless. There is no reason to domain transition to
> rpm_t/rpm_script_t because that domain is as unconfined as unconfined_t.

If daemons are launched by the package management system then transitioning 
from a domain like rpm_script_t or dpkg_script_t might be better than 
transitioning from the domain used by the sysadmin (unconfined_t or sysadm_t).

I have the impression that Red Hat is going all systemd, so all daemons should 
be launched from it instead of being launched directly.  In Debian the init 
issue is still being debated, but I guess we could just make systemd the 
primary target and not worry too much if things don't work as well on other 
systems.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/