Re: [DSE-Dev] Bug#682068: selinux + piuparts
Hello, Any news for this bug? I've an extra request related to this. According to [0] the selinuxfs in the chroot should be mounted as read-only so the userspace inside the chroot thinks selinux is disabled. If we are not doing this, dpkg (and other selinux-aware software) might fail (see #734193). According to this post[1] in this discussion, the selinuxfs should be bound instead of mounted and then should be remounted as read-only mount --bind /sys/fs/selinux /var/chroot/sys/fs/selinux mount -o remount,ro,bind /var/chroot/sys/fs/selinux I guess that mounting the selinuxfs as read-only is a bit more urgent than moving the mountpoint. Cheers, Laurent Bigonville [0] http://comments.gmane.org/gmane.comp.security.selinux/15349 [1] http://permalink.gmane.org/gmane.comp.security.selinux/15870 ___ SELinux-devel mailing list SELinux-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
[DSE-Dev] Transition unconfined users to dpkg_t domain
Hello, Currently in the refpolicy unconfined users can transition to the rpm_t (and then to rpm_script_t) domain when using the rpm commands. On the other hand, the transition is not allowed for unconfined users to transition to dpkg_t. Shouldn't also be the case? I can propose a patch if you want, but I prefer to ask first as I know there are some discussion about transitioning users out of the unconfined domain. Also, since 1.17.0, dpkg is transitioning maintainer scripts to the dpkg_script_t domain. Unfortunately the dpkg-reconfigure script (which is in perl) is not doing so. An idea how this should be done? I've opened [0] is somebody is interested. Cheers, Laurent Bigonville [0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732845 ___ SELinux-devel mailing list SELinux-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
Re: [DSE-Dev] [Piuparts-devel] Bug#682068: selinux + piuparts
control: tags -1 + help Hi Laurent, On Dienstag, 7. Januar 2014, Laurent Bigonville wrote: Any news for this bug? no. I also don't have motivation to work on this, so help would be welcome. (I'd rather invest time in AppArmor than SELinux...) cheers, Holger signature.asc Description: This is a digitally signed message part. ___ SELinux-devel mailing list SELinux-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel