Re: [DSE-Dev] refpolicy: domains need access to the apt's pty and fifos

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Russel,
> > It would definitely help to have separate apt_t and apt_script_t
> > domains, though, to be able to differentiate access for installation
> > scripts and the package manager itself.
> What meaningful restrictions can be applied to one but not the other?

I agree with you that we would currently have to allow pretty much any
access by apt_script_t, unfortunately. Sorry for mixing up apt and dpkg
again in that post btw, yes, it sould be dpkg_t and dpkg_script_t,
obviously.
No, I can't really think of ways to restrict dpkg_script_t apart from
not messing with the dpkg_t state files. Maybe we could make some policy
that /usr is to be modified by dpkg_t only whereas dynamically generated
files have to reside in /var, but I doubt this would currently hold.
And after all, dpkg_script_t needs to be able to even add users
to /etc/passwd (although through the helper applications, not directly).

best regards,
Erich Schubert
-- 
    erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C     (o_
 The early bird gets the worm, but the second mouse gets the cheese.  //\
       Ein Freund ist ein Geschenk, das man sich selbst macht.        V_/_


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.

[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux