From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 27 Jan 2014 13:20:26 -0500
Subject: [refpolicy] [PATCH] Allow unconfined users to transition to
 dpkg_t domain
In-Reply-To: <1389450202-22501-1-git-send-email-bigon@debian.org>
References: <1389450202-22501-1-git-send-email-bigon@debian.org>
Message-ID: <52E6A36A.3030600@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 01/11/14 09:23, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
> 
> dpkg is now using rpm_execcon()/setexecfilecon()-like function to
> transition to the dpkg_script_t domain. This function will fail in
> enforcing mode if the transition is not allowed.
> ---
>  policy/modules/system/unconfined.te | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
> index 667f2a0..c22d964 100644
> --- a/policy/modules/system/unconfined.te
> +++ b/policy/modules/system/unconfined.te
> @@ -76,6 +76,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	dpkg_run(unconfined_t, unconfined_r)
> +')
> +
> +optional_policy(`
>  	firstboot_run(unconfined_t, unconfined_r)
>  ')

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com