[DSE-Dev] Bug#707214: refpolicy: Please handle new dpkg_script_t execution context
bigon at debian.org
Mon Jan 6 19:17:13 UTC 2014
Le Sun, 22 Dec 2013 05:32:12 +0100,
Guillem Jover <guillem at debian.org> a écrit :
> On Sun, 2013-12-22 at 02:26:44 +0100, Laurent Bigonville wrote:
> > I quickly tried, and when the package is installed (dpkg -i) the
> > maintainer script is properly transitioned to "dpkg_script_t".
> Ah, good.
But this is only if the user is confined.
Looks like the rpm policy is also allowing unconfined users to
transition to the rpm_t domain. I guess this should also be done for
> > dpkg-reconfigure is OTOH not transitioning the maintainer script to
> > its own context, I guess it also should be the case here?
> Right, a bug would need to be filed for debconf. You are probably in a
> better position to file it, and test possible implementations, would
> you mind?
I've opened #732845.
> > Otherwise I think that the policy already has support for the
> > dpkg_script_t execution context, or did you had something specific
> > in mind?
> Yeah, but it seemed incomplete/partial or just with some workarounds
> to handle the missing dpkg_script_t support in dpkg. See for example
> the TODO item or the “Use named file transition to fix this” commend
> in «policy/modules/contrib/dpkg.te». Maybe there's other things that
> could be improved or refined now in the policy? I don't know. :)
Well I think that ATM dpkg_t context has "too much" permissions, but
anyway, we first need to make dpkg-reconfigure selinux-aware before
removing these rules.
More information about the SELinux-devel