Le Sun, 22 Dec 2013 05:32:12 +0100, Guillem Jover <guil...@debian.org> a écrit :
> Hi! > > On Sun, 2013-12-22 at 02:26:44 +0100, Laurent Bigonville wrote: > > I quickly tried, and when the package is installed (dpkg -i) the > > maintainer script is properly transitioned to "dpkg_script_t". > > Ah, good. But this is only if the user is confined. Looks like the rpm policy is also allowing unconfined users to transition to the rpm_t domain. I guess this should also be done for dpkg. > > > dpkg-reconfigure is OTOH not transitioning the maintainer script to > > its own context, I guess it also should be the case here? > > Right, a bug would need to be filed for debconf. You are probably in a > better position to file it, and test possible implementations, would > you mind? I've opened #732845. > > Otherwise I think that the policy already has support for the > > dpkg_script_t execution context, or did you had something specific > > in mind? > > Yeah, but it seemed incomplete/partial or just with some workarounds > to handle the missing dpkg_script_t support in dpkg. See for example > the TODO item or the “Use named file transition to fix this” commend > in «policy/modules/contrib/dpkg.te». Maybe there's other things that > could be improved or refined now in the policy? I don't know. :) Well I think that ATM dpkg_t context has "too much" permissions, but anyway, we first need to make dpkg-reconfigure selinux-aware before removing these rules. Cheers, Laurent Bigonville _______________________________________________ SELinux-devel mailing list SELinux-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel