[refpolicy] Transition unconfined users to dpkg_t domain

[sds@tycho.nsa.gov (Stephen Smalley)]

On 01/10/2014 12:27 PM, Laurent Bigonville wrote:
> Le Fri, 10 Jan 2014 09:51:17 -0500,
> Stephen Smalley <sds@tycho.nsa.gov> a ?crit :
> 
>> On 01/10/2014 06:47 AM, Laurent Bigonville wrote:
>>> Le Thu, 09 Jan 2014 15:32:03 -0500,
>>> Stephen Smalley <sds@tycho.nsa.gov> a ?crit :
>>>
>>>> On 01/09/2014 03:26 PM, Daniel J Walsh wrote:
>>>>>
>>>>> It has been like that for years.  Might have been a chicken and
>>>>> egg problem on initial install.  RPM Now has better flexibility.
>>>>
>>>> bootstrapping issue - needed to know the right domain prior to any
>>>> policy files being installed on the filesystem.
>>>
>>> Does that means that rpm and dpkg are supposed to work even if the
>>> files in /etc/selinux/<my_current_policy> are missing?
>>>
>>> With dpkg (that use the rpm_execcon-like function) I'm getting the
>>> following error in that case:
>>>  cannot get security labeling handle: No such file or directory
>>
>> I think they always set down a pre-generated file_contexts file just
>> for that purpose, but otherwise weren't guaranteed any other config
>> files. But that was all the original rpm selinux integration; I don't
>> know the current state of things.
> 
> Thanks.
> 
> About my initial issue with dpkg exiting if it cannot transition to
> "dpkg_script_t" from unconfined users. How do you think this should be
> solved? People doesn't like the transition of unconfined domains to
> confined ones (I agree with this), so you think this should be fixed in
> the code (setexecfilecon() or dpkg) or this could achieved in an other
> way in the policy?

What's wrong with transitioning from unconfined to confined?  Going from
more-privileged to less-privileged is the common (and safe) case, e.g.
init -> daemon, login -> user, etc.  It is confined -> unconfined
transitions that are unsafe.