[DSE-Dev] Bug#707214: refpolicy: Please handle new dpkg_script_t execution context

[Laurent Bigonville]

Le Sun, 22 Dec 2013 05:32:12 +0100,
Guillem Jover <guillem at debian.org> a écrit :

> Hi!
> 
> On Sun, 2013-12-22 at 02:26:44 +0100, Laurent Bigonville wrote:
> > I quickly tried, and when the package is installed (dpkg -i) the
> > maintainer script is properly transitioned to "dpkg_script_t".
> 
> Ah, good.

But this is only if the user is confined.

Looks like the rpm policy is also allowing unconfined users to
transition to the rpm_t domain. I guess this should also be done for
dpkg.

> 
> > dpkg-reconfigure is OTOH not transitioning the maintainer script to
> > its own context, I guess it also should be the case here?
> 
> Right, a bug would need to be filed for debconf. You are probably in a
> better position to file it, and test possible implementations, would
> you mind?

I've opened #732845.

> > Otherwise I think that the policy already has support for the
> > dpkg_script_t execution context, or did you had something specific
> > in mind?
> 
> Yeah, but it seemed incomplete/partial or just with some workarounds
> to handle the missing dpkg_script_t support in dpkg. See for example
> the TODO item or the “Use named file transition to fix this” commend
> in «policy/modules/contrib/dpkg.te». Maybe there's other things that
> could be improved or refined now in the policy? I don't know. :)

Well I think that ATM dpkg_t context has "too much" permissions, but
anyway, we first need to make dpkg-reconfigure selinux-aware before
removing these rules.

Cheers,

Laurent Bigonville