* [refpolicy] [PATCH v2 0/5] Support dracut domain
@ 2012-06-24 18:03 Sven Vermeulen
2012-06-24 18:03 ` [refpolicy] [PATCH v2 1/5] Add read interface for udev rules Sven Vermeulen
` (4 more replies)
0 siblings, 5 replies; 21+ messages in thread
From: Sven Vermeulen @ 2012-06-24 18:03 UTC (permalink / raw)
To: refpolicy
While trying to get a SELinux-supporting initramfs booted up (in enforcing
mode, without unconfined domains) my current attempts are at dracut. But
dracut itself didn't work quite well on such a system as running it in
sysadm_t domain fails (some domain transitions occur which are then asked to
write files in user_tmp_t which isn't allowed for those domains).
Instead of patching those domains (ldconfig_t and depmod_t) to allow writing
& creating files in user_tmp_t (i.e. manage privileges) I drafted up a
dracut domain (dracut_t) and grant those domains manage access to
dracut_tmp_t.
To support dracut, a few changes were necessary to the policy as well
(additional interfaces).
The summary:
- Add read interface for udev rules (udev_read_rules_files)
- List module configuration option files (modutils_list_module_config)
- Add in the dracut_t policy
- Grant ldconfig_t and depmod_t the dracut_manage_tmp_files privilege
- Allow sysadm_t to run/transition to dracut_t
^ permalink raw reply [flat|nested] 21+ messages in thread* [refpolicy] [PATCH v2 1/5] Add read interface for udev rules 2012-06-24 18:03 [refpolicy] [PATCH v2 0/5] Support dracut domain Sven Vermeulen @ 2012-06-24 18:03 ` Sven Vermeulen 2012-06-24 19:28 ` Dominick Grift 2012-06-24 18:04 ` [refpolicy] [PATCH v2 2/5] Support listing module configuration files Sven Vermeulen ` (3 subsequent siblings) 4 siblings, 1 reply; 21+ messages in thread From: Sven Vermeulen @ 2012-06-24 18:03 UTC (permalink / raw) To: refpolicy Applications, such as dracut or other initramfs creators, need read access to udev rules to see if they need to pull in additional requirements for the initramfs or not. This adds in the udev_read_rules_files() interface for this purpose. Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> --- policy/modules/system/udev.if | 19 +++++++++++++++++++ 1 files changed, 19 insertions(+), 0 deletions(-) diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if index 025348a..57fd764 100644 --- a/policy/modules/system/udev.if +++ b/policy/modules/system/udev.if @@ -132,6 +132,25 @@ interface(`udev_dontaudit_rw_dgram_sockets',` ######################################## ## <summary> +## Read udev rules files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`udev_read_rules_files',` + gen_require(` + type udev_rules_t; + ') + + read_files_pattern($1, udev_rules_t, udev_rules_t) +') + + +######################################## +## <summary> ## Manage udev rules files ## </summary> ## <param name="domain"> -- 1.7.3.4 ^ permalink raw reply related [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH v2 1/5] Add read interface for udev rules 2012-06-24 18:03 ` [refpolicy] [PATCH v2 1/5] Add read interface for udev rules Sven Vermeulen @ 2012-06-24 19:28 ` Dominick Grift 0 siblings, 0 replies; 21+ messages in thread From: Dominick Grift @ 2012-06-24 19:28 UTC (permalink / raw) To: refpolicy On Sun, 2012-06-24 at 20:03 +0200, Sven Vermeulen wrote: > Applications, such as dracut or other initramfs creators, need read access to > udev rules to see if they need to pull in additional requirements for the > initramfs or not. This adds in the udev_read_rules_files() interface for > this purpose. > > Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> > --- > policy/modules/system/udev.if | 19 +++++++++++++++++++ > 1 files changed, 19 insertions(+), 0 deletions(-) > > diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if > index 025348a..57fd764 100644 > --- a/policy/modules/system/udev.if > +++ b/policy/modules/system/udev.if > @@ -132,6 +132,25 @@ interface(`udev_dontaudit_rw_dgram_sockets',` > > ######################################## > ## <summary> > +## Read udev rules files > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`udev_read_rules_files',` > + gen_require(` > + type udev_rules_t; > + ') > + files_search_etc($1) > + read_files_pattern($1, udev_rules_t, udev_rules_t) > +') > + > + > +######################################## > +## <summary> > ## Manage udev rules files > ## </summary> > ## <param name="domain"> ^ permalink raw reply [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH v2 2/5] Support listing module configuration files 2012-06-24 18:03 [refpolicy] [PATCH v2 0/5] Support dracut domain Sven Vermeulen 2012-06-24 18:03 ` [refpolicy] [PATCH v2 1/5] Add read interface for udev rules Sven Vermeulen @ 2012-06-24 18:04 ` Sven Vermeulen 2012-06-24 19:32 ` Dominick Grift 2012-06-24 18:04 ` [refpolicy] [PATCH v2 3/5] Adding dracut policy Sven Vermeulen ` (2 subsequent siblings) 4 siblings, 1 reply; 21+ messages in thread From: Sven Vermeulen @ 2012-06-24 18:04 UTC (permalink / raw) To: refpolicy Dracut, an application that creates an initramfs based on the systems' requirements, needs to list the module configuration files to function. This adds in this interface for this purpose. Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> --- policy/modules/system/modutils.if | 21 +++++++++++++++++++++ policy/modules/system/modutils.te | 4 ++++ 2 files changed, 25 insertions(+), 0 deletions(-) diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if index 350c450..19d328a 100644 --- a/policy/modules/system/modutils.if +++ b/policy/modules/system/modutils.if @@ -39,6 +39,27 @@ interface(`modutils_read_module_deps',` ######################################## ## <summary> +## List the module configuration option files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`modutils_list_module_config',` + gen_require(` + type modules_conf_t; + ') + + list_dirs_pattern($1, modules_conf_t, modules_conf_t) +') + + + +######################################## +## <summary> ## Read the configuration options used when ## loading modules. ## </summary> diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index 560d5d9..7607294 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -89,6 +89,10 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` + dracut_manage_tmp_files(depmod_t) +') + +optional_policy(` rpm_rw_pipes(depmod_t) rpm_manage_script_tmp_files(depmod_t) ') -- 1.7.3.4 ^ permalink raw reply related [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH v2 2/5] Support listing module configuration files 2012-06-24 18:04 ` [refpolicy] [PATCH v2 2/5] Support listing module configuration files Sven Vermeulen @ 2012-06-24 19:32 ` Dominick Grift 0 siblings, 0 replies; 21+ messages in thread From: Dominick Grift @ 2012-06-24 19:32 UTC (permalink / raw) To: refpolicy On Sun, 2012-06-24 at 20:04 +0200, Sven Vermeulen wrote: > Dracut, an application that creates an initramfs based on the systems' > requirements, needs to list the module configuration > files to function. This adds in this interface for this purpose. > > Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> > --- > policy/modules/system/modutils.if | 21 +++++++++++++++++++++ > policy/modules/system/modutils.te | 4 ++++ > 2 files changed, 25 insertions(+), 0 deletions(-) > > diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if > index 350c450..19d328a 100644 > --- a/policy/modules/system/modutils.if > +++ b/policy/modules/system/modutils.if > @@ -39,6 +39,27 @@ interface(`modutils_read_module_deps',` > > ######################################## > ## <summary> > +## List the module configuration option files > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +## <rolecap/> > +# > +interface(`modutils_list_module_config',` > + gen_require(` > + type modules_conf_t; > + ') I doubt that its listing this just for the sake of listing. You will probably want to use "modutils_read_module_config()" instead. This also allow caller to list. > + list_dirs_pattern($1, modules_conf_t, modules_conf_t) > +') > + > + > + > +######################################## > +## <summary> > ## Read the configuration options used when > ## loading modules. > ## </summary> > diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te > index 560d5d9..7607294 100644 > --- a/policy/modules/system/modutils.te > +++ b/policy/modules/system/modutils.te > @@ -89,6 +89,10 @@ tunable_policy(`use_samba_home_dirs',` > ') > > optional_policy(` > + dracut_manage_tmp_files(depmod_t) > +') > + > +optional_policy(` > rpm_rw_pipes(depmod_t) > rpm_manage_script_tmp_files(depmod_t) > ') ^ permalink raw reply [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH v2 3/5] Adding dracut policy 2012-06-24 18:03 [refpolicy] [PATCH v2 0/5] Support dracut domain Sven Vermeulen 2012-06-24 18:03 ` [refpolicy] [PATCH v2 1/5] Add read interface for udev rules Sven Vermeulen 2012-06-24 18:04 ` [refpolicy] [PATCH v2 2/5] Support listing module configuration files Sven Vermeulen @ 2012-06-24 18:04 ` Sven Vermeulen 2012-06-24 19:42 ` Dominick Grift 2012-06-24 18:05 ` [refpolicy] [PATCH v2 4/5] Grant dracut_manage_tmp_files to domains called by dracut Sven Vermeulen 2012-06-24 18:05 ` [refpolicy] [PATCH v2 5/5] Allow sysadm_t to call dracut and transition to dracut_t Sven Vermeulen 4 siblings, 1 reply; 21+ messages in thread From: Sven Vermeulen @ 2012-06-24 18:04 UTC (permalink / raw) To: refpolicy Running dracut out of the sysadm_t domain doesn't (fully) work on a policy without unconfined domains. The calls to depmod, whose output is then directed to a tmp location, is denied through this. Instead of granting depmod (and other tools) "manage" access to user_tmp_t, we create a separate domain for dracut (called dracut_t) and grant these tools management access to dracut_tmp_t. Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> --- dracut.fc | 4 +++ dracut.if | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ dracut.te | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 149 insertions(+), 0 deletions(-) create mode 100644 dracut.fc create mode 100644 dracut.if create mode 100644 dracut.te diff --git a/dracut.fc b/dracut.fc new file mode 100644 index 0000000..fca0d67 --- /dev/null +++ b/dracut.fc @@ -0,0 +1,4 @@ +# +# /usr +# +/usr/(s)?bin/dracut -- gen_context(system_u:object_r:dracut_exec_t,s0) diff --git a/dracut.if b/dracut.if new file mode 100644 index 0000000..929fffd --- /dev/null +++ b/dracut.if @@ -0,0 +1,69 @@ +## <summary>Dracut initramfs creation tool</summary> + +######################################## +## <summary> +## Execute the dracut program in the dracut domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`dracut_domtrans',` + gen_require(` + type dracut_t, dracut_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, dracut_exec_t, dracut_t) +') + +######################################## +## <summary> +## Execute dracut in the dracut domain, and +## allow the specified role the dracut domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +# +interface(`dracut_run',` + gen_require(` + type dracut_t; + ') + + dracut_domtrans($1) + role $2 types dracut_t; +') + +######################################## +## <summary> +## Allow domain to manage dracut temporary files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dracut_manage_tmp_files',` + gen_require(` + type dracut_tmp_t; + ') + + files_search_var($1) + files_search_tmp($1) + + manage_files_pattern($1, dracut_tmp_t, dracut_tmp_t) + manage_dirs_pattern($1, dracut_tmp_t, dracut_tmp_t) + read_lnk_files_pattern($1, dracut_tmp_t, dracut_tmp_t) +') + diff --git a/dracut.te b/dracut.te new file mode 100644 index 0000000..4bd6cb3 --- /dev/null +++ b/dracut.te @@ -0,0 +1,76 @@ +policy_module(dracut, 1.0) + +type dracut_t; +type dracut_exec_t; +application_domain(dracut_t, dracut_exec_t) + +type dracut_var_log_t; +logging_log_file(dracut_var_log_t) + +type dracut_tmp_t; +files_tmp_file(dracut_tmp_t) + +######################################## +# +# Local policy +# +allow dracut_t self:process setfscreate; +allow dracut_t self:fifo_file rw_fifo_file_perms; +allow dracut_t self:unix_stream_socket create_stream_socket_perms; + +manage_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) +manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) +manage_dirs_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) +files_tmp_filetrans(dracut_t, dracut_tmp_t, { file lnk_file dir }) + +manage_files_pattern(dracut_t, dracut_var_log_t, dracut_var_log_t) +logging_log_filetrans(dracut_t, dracut_var_log_t, file) + +kernel_read_system_state(dracut_t) + +corecmd_exec_bin(dracut_t) +corecmd_exec_shell(dracut_t) +corecmd_read_all_executables(dracut_t) + +dev_read_sysfs(dracut_t) + +domain_use_interactive_fds(dracut_t) + +files_create_kernel_img(dracut_t) +files_read_etc_files(dracut_t) +files_read_kernel_modules(dracut_t) +files_read_usr_files(dracut_t) +files_search_pids(dracut_t) + +fstools_exec(dracut_t) + +libs_domtrans_ldconfig(dracut_t) +libs_exec_ld_so(dracut_t) +libs_exec_lib_files(dracut_t) + +miscfiles_read_localization(dracut_t) + +modutils_exec_depmod(dracut_t) +modutils_exec_insmod(dracut_t) +modutils_list_module_config(dracut_t) +modutils_read_module_config(dracut_t) +modutils_read_module_deps(dracut_t) + +mount_exec(dracut_t) + +seutil_exec_setfiles(dracut_t) + +udev_exec(dracut_t) +udev_read_rules_files(dracut_t) + +userdom_use_user_terminals(dracut_t) + +optional_policy(` + dmesg_exec(dracut_t) +') + +optional_policy(` + lvm_exec(dracut_t) + lvm_read_config(dracut_t) +') + -- 1.7.3.4 ^ permalink raw reply related [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH v2 3/5] Adding dracut policy 2012-06-24 18:04 ` [refpolicy] [PATCH v2 3/5] Adding dracut policy Sven Vermeulen @ 2012-06-24 19:42 ` Dominick Grift 2012-06-25 8:24 ` Miroslav Grepl ` (2 more replies) 0 siblings, 3 replies; 21+ messages in thread From: Dominick Grift @ 2012-06-24 19:42 UTC (permalink / raw) To: refpolicy On Sun, 2012-06-24 at 20:04 +0200, Sven Vermeulen wrote: > Running dracut out of the sysadm_t domain doesn't (fully) work on a policy > without unconfined domains. The calls to depmod, whose output is then > directed to a tmp location, is denied through this. Instead of granting > depmod (and other tools) "manage" access to user_tmp_t, we create a separate > domain for dracut (called dracut_t) and grant these tools management > access to dracut_tmp_t. > > Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> > --- > dracut.fc | 4 +++ > dracut.if | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ > dracut.te | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > 3 files changed, 149 insertions(+), 0 deletions(-) > create mode 100644 dracut.fc > create mode 100644 dracut.if > create mode 100644 dracut.te > > diff --git a/dracut.fc b/dracut.fc > new file mode 100644 > index 0000000..fca0d67 > --- /dev/null > +++ b/dracut.fc > @@ -0,0 +1,4 @@ > +# > +# /usr > +# > +/usr/(s)?bin/dracut -- gen_context(system_u:object_r:dracut_exec_t,s0) > diff --git a/dracut.if b/dracut.if > new file mode 100644 > index 0000000..929fffd > --- /dev/null > +++ b/dracut.if > @@ -0,0 +1,69 @@ > +## <summary>Dracut initramfs creation tool</summary> > + > +######################################## > +## <summary> > +## Execute the dracut program in the dracut domain. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed to transition. > +## </summary> > +## </param> > +# > +interface(`dracut_domtrans',` > + gen_require(` > + type dracut_t, dracut_exec_t; > + ') > + > + corecmd_search_bin($1) > + domtrans_pattern($1, dracut_exec_t, dracut_t) > +') > + > +######################################## > +## <summary> > +## Execute dracut in the dracut domain, and > +## allow the specified role the dracut domain. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed to transition. > +## </summary> > +## </param> > +## <param name="role"> > +## <summary> > +## Role allowed access. > +## </summary> > +## </param> > +# > +interface(`dracut_run',` > + gen_require(` > + type dracut_t; > + ') > + > + dracut_domtrans($1) > + role $2 types dracut_t; > +') > + > +######################################## > +## <summary> > +## Allow domain to manage dracut temporary files > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`dracut_manage_tmp_files',` > + gen_require(` > + type dracut_tmp_t; > + ') > + > + files_search_var($1) > + files_search_tmp($1) > + > + manage_files_pattern($1, dracut_tmp_t, dracut_tmp_t) > + manage_dirs_pattern($1, dracut_tmp_t, dracut_tmp_t) > + read_lnk_files_pattern($1, dracut_tmp_t, dracut_tmp_t) > +') This isn't what it say's it is. I would probably make it dracut_manage_tmp() Allow, and dracut in description is obvious, i would make it "Manage temporary content" > diff --git a/dracut.te b/dracut.te > new file mode 100644 > index 0000000..4bd6cb3 > --- /dev/null > +++ b/dracut.te > @@ -0,0 +1,76 @@ > +policy_module(dracut, 1.0) > + > +type dracut_t; > +type dracut_exec_t; > +application_domain(dracut_t, dracut_exec_t) > + > +type dracut_var_log_t; > +logging_log_file(dracut_var_log_t) > + > +type dracut_tmp_t; > +files_tmp_file(dracut_tmp_t) > + > +######################################## > +# > +# Local policy > +# > +allow dracut_t self:process setfscreate; > +allow dracut_t self:fifo_file rw_fifo_file_perms; > +allow dracut_t self:unix_stream_socket create_stream_socket_perms; > + > +manage_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) > +manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) > +manage_dirs_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) > +files_tmp_filetrans(dracut_t, dracut_tmp_t, { file lnk_file dir }) i suspect not all these type transitions are needed. > + > +manage_files_pattern(dracut_t, dracut_var_log_t, dracut_var_log_t) > +logging_log_filetrans(dracut_t, dracut_var_log_t, file) > + > +kernel_read_system_state(dracut_t) > + > +corecmd_exec_bin(dracut_t) > +corecmd_exec_shell(dracut_t) > +corecmd_read_all_executables(dracut_t) > + > +dev_read_sysfs(dracut_t) > + > +domain_use_interactive_fds(dracut_t) > + > +files_create_kernel_img(dracut_t) > +files_read_etc_files(dracut_t) > +files_read_kernel_modules(dracut_t) > +files_read_usr_files(dracut_t) > +files_search_pids(dracut_t) > + > +fstools_exec(dracut_t) > + > +libs_domtrans_ldconfig(dracut_t) > +libs_exec_ld_so(dracut_t) > +libs_exec_lib_files(dracut_t) > + > +miscfiles_read_localization(dracut_t) > + > +modutils_exec_depmod(dracut_t) > +modutils_exec_insmod(dracut_t) > +modutils_list_module_config(dracut_t) redundant this is already allowed with modutils_read_module_config() > +modutils_read_module_config(dracut_t) > +modutils_read_module_deps(dracut_t) > + > +mount_exec(dracut_t) > + > +seutil_exec_setfiles(dracut_t) So you allow it to run setfiles in the dracut domain, but you dont allow the dracut domain to relabelfrom and -to anything? > + > +udev_exec(dracut_t) > +udev_read_rules_files(dracut_t) > + > +userdom_use_user_terminals(dracut_t) > + > +optional_policy(` > + dmesg_exec(dracut_t) > +') > + > +optional_policy(` > + lvm_exec(dracut_t) > + lvm_read_config(dracut_t) > +') > + ^ permalink raw reply [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH v2 3/5] Adding dracut policy 2012-06-24 19:42 ` Dominick Grift @ 2012-06-25 8:24 ` Miroslav Grepl 2012-06-25 8:36 ` Dominick Grift 2012-06-25 14:35 ` Sven Vermeulen 2012-06-25 14:31 ` Sven Vermeulen 2012-06-25 20:38 ` Sven Vermeulen 2 siblings, 2 replies; 21+ messages in thread From: Miroslav Grepl @ 2012-06-25 8:24 UTC (permalink / raw) To: refpolicy On 06/24/2012 09:42 PM, Dominick Grift wrote: > On Sun, 2012-06-24 at 20:04 +0200, Sven Vermeulen wrote: >> Running dracut out of the sysadm_t domain doesn't (fully) work on a policy >> without unconfined domains. The calls to depmod, whose output is then >> directed to a tmp location, is denied through this. Instead of granting >> depmod (and other tools) "manage" access to user_tmp_t, we create a separate >> domain for dracut (called dracut_t) and grant these tools management >> access to dracut_tmp_t. >> >> Signed-off-by: Sven Vermeulen<sven.vermeulen@siphos.be> >> --- >> dracut.fc | 4 +++ >> dracut.if | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ >> dracut.te | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >> 3 files changed, 149 insertions(+), 0 deletions(-) >> create mode 100644 dracut.fc >> create mode 100644 dracut.if >> create mode 100644 dracut.te >> >> diff --git a/dracut.fc b/dracut.fc >> new file mode 100644 >> index 0000000..fca0d67 >> --- /dev/null >> +++ b/dracut.fc >> @@ -0,0 +1,4 @@ >> +# >> +# /usr >> +# >> +/usr/(s)?bin/dracut -- gen_context(system_u:object_r:dracut_exec_t,s0) >> diff --git a/dracut.if b/dracut.if >> new file mode 100644 >> index 0000000..929fffd >> --- /dev/null >> +++ b/dracut.if >> @@ -0,0 +1,69 @@ >> +##<summary>Dracut initramfs creation tool</summary> >> + >> +######################################## >> +##<summary> >> +## Execute the dracut program in the dracut domain. >> +##</summary> >> +##<param name="domain"> >> +## <summary> >> +## Domain allowed to transition. >> +## </summary> >> +##</param> >> +# >> +interface(`dracut_domtrans',` >> + gen_require(` >> + type dracut_t, dracut_exec_t; >> + ') >> + >> + corecmd_search_bin($1) >> + domtrans_pattern($1, dracut_exec_t, dracut_t) >> +') >> + >> +######################################## >> +##<summary> >> +## Execute dracut in the dracut domain, and >> +## allow the specified role the dracut domain. >> +##</summary> >> +##<param name="domain"> >> +## <summary> >> +## Domain allowed to transition. >> +## </summary> >> +##</param> >> +##<param name="role"> >> +## <summary> >> +## Role allowed access. >> +## </summary> >> +##</param> >> +# >> +interface(`dracut_run',` >> + gen_require(` >> + type dracut_t; >> + ') >> + >> + dracut_domtrans($1) >> + role $2 types dracut_t; >> +') >> + >> +######################################## >> +##<summary> >> +## Allow domain to manage dracut temporary files >> +##</summary> >> +##<param name="domain"> >> +## <summary> >> +## Domain allowed access. >> +## </summary> >> +##</param> >> +# >> +interface(`dracut_manage_tmp_files',` >> + gen_require(` >> + type dracut_tmp_t; >> + ') >> + >> + files_search_var($1) >> + files_search_tmp($1) >> + >> + manage_files_pattern($1, dracut_tmp_t, dracut_tmp_t) >> + manage_dirs_pattern($1, dracut_tmp_t, dracut_tmp_t) >> + read_lnk_files_pattern($1, dracut_tmp_t, dracut_tmp_t) >> +') > This isn't what it say's it is. I would probably make it > dracut_manage_tmp() > > Allow, and dracut in description is obvious, i would make it "Manage > temporary content" > >> diff --git a/dracut.te b/dracut.te >> new file mode 100644 >> index 0000000..4bd6cb3 >> --- /dev/null >> +++ b/dracut.te >> @@ -0,0 +1,76 @@ >> +policy_module(dracut, 1.0) >> + >> +type dracut_t; >> +type dracut_exec_t; >> +application_domain(dracut_t, dracut_exec_t) >> + >> +type dracut_var_log_t; >> +logging_log_file(dracut_var_log_t) >> + >> +type dracut_tmp_t; >> +files_tmp_file(dracut_tmp_t) >> + >> +######################################## >> +# >> +# Local policy >> +# >> +allow dracut_t self:process setfscreate; >> +allow dracut_t self:fifo_file rw_fifo_file_perms; >> +allow dracut_t self:unix_stream_socket create_stream_socket_perms; >> + >> +manage_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) >> +manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) >> +manage_dirs_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) >> +files_tmp_filetrans(dracut_t, dracut_tmp_t, { file lnk_file dir }) > i suspect not all these type transitions are needed. > >> + >> +manage_files_pattern(dracut_t, dracut_var_log_t, dracut_var_log_t) >> +logging_log_filetrans(dracut_t, dracut_var_log_t, file) >> + >> +kernel_read_system_state(dracut_t) >> + >> +corecmd_exec_bin(dracut_t) >> +corecmd_exec_shell(dracut_t) >> +corecmd_read_all_executables(dracut_t) >> + >> +dev_read_sysfs(dracut_t) >> + >> +domain_use_interactive_fds(dracut_t) >> + >> +files_create_kernel_img(dracut_t) >> +files_read_etc_files(dracut_t) >> +files_read_kernel_modules(dracut_t) >> +files_read_usr_files(dracut_t) >> +files_search_pids(dracut_t) >> + >> +fstools_exec(dracut_t) >> + >> +libs_domtrans_ldconfig(dracut_t) >> +libs_exec_ld_so(dracut_t) >> +libs_exec_lib_files(dracut_t) >> + >> +miscfiles_read_localization(dracut_t) >> + >> +modutils_exec_depmod(dracut_t) >> +modutils_exec_insmod(dracut_t) >> +modutils_list_module_config(dracut_t) > redundant this is already allowed with modutils_read_module_config() > >> +modutils_read_module_config(dracut_t) >> +modutils_read_module_deps(dracut_t) >> + >> +mount_exec(dracut_t) >> + >> +seutil_exec_setfiles(dracut_t) > So you allow it to run setfiles in the dracut domain, but you dont allow > the dracut domain to relabelfrom and -to anything? I believe dracut should stay as unconfined domain. Also you probably will see other domains which are want to execute dracut. And I would think transitions will be needed rather than just execute apps in the dracut domain. > >> + >> +udev_exec(dracut_t) >> +udev_read_rules_files(dracut_t) >> + >> +userdom_use_user_terminals(dracut_t) >> + >> +optional_policy(` >> + dmesg_exec(dracut_t) >> +') >> + >> +optional_policy(` >> + lvm_exec(dracut_t) >> + lvm_read_config(dracut_t) >> +') >> + > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy ^ permalink raw reply [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH v2 3/5] Adding dracut policy 2012-06-25 8:24 ` Miroslav Grepl @ 2012-06-25 8:36 ` Dominick Grift 2012-06-25 13:42 ` Daniel J Walsh 2012-06-25 14:35 ` Sven Vermeulen 1 sibling, 1 reply; 21+ messages in thread From: Dominick Grift @ 2012-06-25 8:36 UTC (permalink / raw) To: refpolicy On Mon, 2012-06-25 at 10:24 +0200, Miroslav Grepl wrote: > >> +seutil_exec_setfiles(dracut_t) > > So you allow it to run setfiles in the dracut domain, but you dont allow > > the dracut domain to relabelfrom and -to anything? > I believe dracut should stay as unconfined domain. Also you probably > will see other domains which are want to execute dracut. And I would > think transitions will be needed rather than just execute apps in the > dracut domain. But what about MLS? MLS doesnt have the luxury of unconfined domains. Also its easy enough to append unconfined_domain(dracut_t) for stable releases only and in the meantime try to perfect the confined dracut domain in test releases as much as possible. ^ permalink raw reply [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH v2 3/5] Adding dracut policy 2012-06-25 8:36 ` Dominick Grift @ 2012-06-25 13:42 ` Daniel J Walsh 0 siblings, 0 replies; 21+ messages in thread From: Daniel J Walsh @ 2012-06-25 13:42 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/25/2012 04:36 AM, Dominick Grift wrote: > On Mon, 2012-06-25 at 10:24 +0200, Miroslav Grepl wrote: > >>>> +seutil_exec_setfiles(dracut_t) >>> So you allow it to run setfiles in the dracut domain, but you dont >>> allow the dracut domain to relabelfrom and -to anything? >> I believe dracut should stay as unconfined domain. Also you probably will >> see other domains which are want to execute dracut. And I would think >> transitions will be needed rather than just execute apps in the dracut >> domain. > > But what about MLS? MLS doesnt have the luxury of unconfined domains. > > Also its easy enough to append unconfined_domain(dracut_t) for stable > releases only and in the meantime try to perfect the confined dracut domain > in test releases as much as possible. > > > > _______________________________________________ refpolicy mailing list > refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy > If we are only going to allow dracut to fix the labels on /dev and /run you can add the rules for relabelfrom/relabelto, If it needs to do more maybe a transition to setfiles_t is necessary. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/oasIACgkQrlYvE4MpobPBdACgy4uhK1mxovyBhzgqcJA9OZTc NX4AoI5Le6yrK8B9b3VmCvQNlgjN5e1J =77/O -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH v2 3/5] Adding dracut policy 2012-06-25 8:24 ` Miroslav Grepl 2012-06-25 8:36 ` Dominick Grift @ 2012-06-25 14:35 ` Sven Vermeulen 1 sibling, 0 replies; 21+ messages in thread From: Sven Vermeulen @ 2012-06-25 14:35 UTC (permalink / raw) To: refpolicy On Mon, Jun 25, 2012 at 10:24:24AM +0200, Miroslav Grepl wrote: > I believe dracut should stay as unconfined domain. Also you probably > will see other domains which are want to execute dracut. And I would > think transitions will be needed rather than just execute apps in the > dracut domain. I don't mind people or organizations opting to use unconfined domains, but I strive to run all applications, services and users in a confined manner. It is easy enough, like Dominick said, to add an optional unconfined_domain() to make us all happy ;-) Wkr, Sven Vermeulen ^ permalink raw reply [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH v2 3/5] Adding dracut policy 2012-06-24 19:42 ` Dominick Grift 2012-06-25 8:24 ` Miroslav Grepl @ 2012-06-25 14:31 ` Sven Vermeulen 2012-06-25 14:49 ` Dominick Grift 2012-06-25 20:38 ` Sven Vermeulen 2 siblings, 1 reply; 21+ messages in thread From: Sven Vermeulen @ 2012-06-25 14:31 UTC (permalink / raw) To: refpolicy On Sun, Jun 24, 2012 at 09:42:09PM +0200, Dominick Grift wrote: > > +######################################## > > +## <summary> > > +## Allow domain to manage dracut temporary files > > +## </summary> > > +## <param name="domain"> > > +## <summary> > > +## Domain allowed access. > > +## </summary> > > +## </param> > > +# > > +interface(`dracut_manage_tmp_files',` > > + gen_require(` > > + type dracut_tmp_t; > > + ') > > + > > + files_search_var($1) > > + files_search_tmp($1) > > + > > + manage_files_pattern($1, dracut_tmp_t, dracut_tmp_t) > > + manage_dirs_pattern($1, dracut_tmp_t, dracut_tmp_t) > > + read_lnk_files_pattern($1, dracut_tmp_t, dracut_tmp_t) > > +') > This isn't what it say's it is. I would probably make it > dracut_manage_tmp() > > Allow, and dracut in description is obvious, i would make it "Manage > temporary content" Ok > > +manage_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) > > +manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) > > +manage_dirs_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) > > +files_tmp_filetrans(dracut_t, dracut_tmp_t, { file lnk_file dir }) > i suspect not all these type transitions are needed. I think they were. Dracut generated a temporary directory in which it positioned whatever information it needed to generate an initramfs. I'm not sure about the lnk_file, so I'll try again to verify (I'll just add in a temporary auditallow to make sure locally ;-) > > +modutils_exec_depmod(dracut_t) > > +modutils_exec_insmod(dracut_t) > > +modutils_list_module_config(dracut_t) > redundant this is already allowed with modutils_read_module_config() Ok > > +modutils_read_module_config(dracut_t) > > +modutils_read_module_deps(dracut_t) > > + > > +mount_exec(dracut_t) > > + > > +seutil_exec_setfiles(dracut_t) > So you allow it to run setfiles in the dracut domain, but you dont allow > the dracut domain to relabelfrom and -to anything? It's not about executing; dracut uses "ldd" to scan for libraries it needs in the initramfs. But using "ldd" means that ldd (underlyingly) executes the files. Hence, the need for _exec (but not for _domtrans or functionality). Wkr, Sven Vermeulen ^ permalink raw reply [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH v2 3/5] Adding dracut policy 2012-06-25 14:31 ` Sven Vermeulen @ 2012-06-25 14:49 ` Dominick Grift 2012-06-25 14:53 ` Dominick Grift 0 siblings, 1 reply; 21+ messages in thread From: Dominick Grift @ 2012-06-25 14:49 UTC (permalink / raw) To: refpolicy > > > +seutil_exec_setfiles(dracut_t) > > So you allow it to run setfiles in the dracut domain, but you dont allow > > the dracut domain to relabelfrom and -to anything? > > It's not about executing; dracut uses "ldd" to scan for libraries it needs > in the initramfs. But using "ldd" means that ldd (underlyingly) executes the > files. Hence, the need for _exec (but not for _domtrans or functionality). > I think you want mmap ( create a seutil_check_exec_setfiles() or something) mmap provides only execute exec provides execute as well as execute_no_trans i think that , if i understand you correctly, it doesnt need the execute_no_trans ^ permalink raw reply [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH v2 3/5] Adding dracut policy 2012-06-25 14:49 ` Dominick Grift @ 2012-06-25 14:53 ` Dominick Grift 2012-06-25 15:29 ` Daniel J Walsh 2012-06-25 16:29 ` Sven Vermeulen 0 siblings, 2 replies; 21+ messages in thread From: Dominick Grift @ 2012-06-25 14:53 UTC (permalink / raw) To: refpolicy On Mon, 2012-06-25 at 16:49 +0200, Dominick Grift wrote: > > > > +seutil_exec_setfiles(dracut_t) > > > So you allow it to run setfiles in the dracut domain, but you dont allow > > > the dracut domain to relabelfrom and -to anything? > > > > It's not about executing; dracut uses "ldd" to scan for libraries it needs > > in the initramfs. But using "ldd" means that ldd (underlyingly) executes the > > files. Hence, the need for _exec (but not for _domtrans or functionality). > > > > I think you want mmap ( create a seutil_check_exec_setfiles() or > something) > > mmap provides only execute > exec provides execute as well as execute_no_trans > > i think that , if i understand you correctly, it doesnt need the > execute_no_trans > but nevertheless, push comes to shove, dracut should probably optionally be allowed to (really) execute setfiles and be allowed to dev_relabel_all_devices In at least old fedora it mounts /sysroot/dev, restores context of /dev and then loads policy (if i am not mistaken) > ^ permalink raw reply [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH v2 3/5] Adding dracut policy 2012-06-25 14:53 ` Dominick Grift @ 2012-06-25 15:29 ` Daniel J Walsh 2012-06-25 16:29 ` Sven Vermeulen 1 sibling, 0 replies; 21+ messages in thread From: Daniel J Walsh @ 2012-06-25 15:29 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/25/2012 10:53 AM, Dominick Grift wrote: > On Mon, 2012-06-25 at 16:49 +0200, Dominick Grift wrote: >>>>> +seutil_exec_setfiles(dracut_t) >>>> So you allow it to run setfiles in the dracut domain, but you dont >>>> allow the dracut domain to relabelfrom and -to anything? >>> >>> It's not about executing; dracut uses "ldd" to scan for libraries it >>> needs in the initramfs. But using "ldd" means that ldd (underlyingly) >>> executes the files. Hence, the need for _exec (but not for _domtrans or >>> functionality). >>> >> >> I think you want mmap ( create a seutil_check_exec_setfiles() or >> something) >> >> mmap provides only execute exec provides execute as well as >> execute_no_trans >> >> i think that , if i understand you correctly, it doesnt need the >> execute_no_trans >> > > but nevertheless, push comes to shove, dracut should probably optionally be > allowed to (really) execute setfiles and be allowed to > dev_relabel_all_devices > > In at least old fedora it mounts /sysroot/dev, restores context of /dev and > then loads policy (if i am not mistaken) > >> > > > _______________________________________________ refpolicy mailing list > refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy > Yes although I think that is being done by systemd or systemd-udev now. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/og9cACgkQrlYvE4MpobOgFQCfc/1HkxLjTKynRsy9qtG8LaN+ ZRwAnA6TgB/A1Z3Mv6m7Gv5yJZXwql12 =J4oz -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH v2 3/5] Adding dracut policy 2012-06-25 14:53 ` Dominick Grift 2012-06-25 15:29 ` Daniel J Walsh @ 2012-06-25 16:29 ` Sven Vermeulen 2012-06-25 16:36 ` Dominick Grift 1 sibling, 1 reply; 21+ messages in thread From: Sven Vermeulen @ 2012-06-25 16:29 UTC (permalink / raw) To: refpolicy On Mon, Jun 25, 2012 at 04:53:29PM +0200, Dominick Grift wrote: > > I think you want mmap ( create a seutil_check_exec_setfiles() or > > something) > > > > mmap provides only execute > > exec provides execute as well as execute_no_trans > > > > i think that , if i understand you correctly, it doesnt need the > > execute_no_trans > > > > but nevertheless, push comes to shove, dracut should probably optionally > be allowed to (really) execute setfiles and be allowed to > dev_relabel_all_devices > > In at least old fedora it mounts /sysroot/dev, restores context of /dev > and then loads policy (if i am not mistaken) Thanks for the mmap hint, didn't know there was something like that. Regarding the policy allowing executing - dracut_t is about the dracut application. The initramfs itself doesn't run in dracut_t, but in init_t or kernel_t (depending on when the policy itself is loaded)... Wkr, Sven Vermeulen ^ permalink raw reply [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH v2 3/5] Adding dracut policy 2012-06-25 16:29 ` Sven Vermeulen @ 2012-06-25 16:36 ` Dominick Grift 0 siblings, 0 replies; 21+ messages in thread From: Dominick Grift @ 2012-06-25 16:36 UTC (permalink / raw) To: refpolicy A. On Mon, 2012-06-25 at 18:29 +0200, Sven Vermeulen wrote: > On Mon, Jun 25, 2012 at 04:53:29PM +0200, Dominick Grift wrote: > > > I think you want mmap ( create a seutil_check_exec_setfiles() or > > > something) > > > > > > mmap provides only execute > > > exec provides execute as well as execute_no_trans > > > > > > i think that , if i understand you correctly, it doesnt need the > > > execute_no_trans > > > > > > > but nevertheless, push comes to shove, dracut should probably optionally > > be allowed to (really) execute setfiles and be allowed to > > dev_relabel_all_devices > > > > In at least old fedora it mounts /sysroot/dev, restores context of /dev > > and then loads policy (if i am not mistaken) > > Thanks for the mmap hint, didn't know there was something like that. > > Regarding the policy allowing executing - dracut_t is about the dracut > application. The initramfs itself doesn't run in dracut_t, but in init_t or > kernel_t (depending on when the policy itself is loaded)... Whoops yes thats right, kernel_t i guess... ^ permalink raw reply [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH v2 3/5] Adding dracut policy 2012-06-24 19:42 ` Dominick Grift 2012-06-25 8:24 ` Miroslav Grepl 2012-06-25 14:31 ` Sven Vermeulen @ 2012-06-25 20:38 ` Sven Vermeulen 2 siblings, 0 replies; 21+ messages in thread From: Sven Vermeulen @ 2012-06-25 20:38 UTC (permalink / raw) To: refpolicy On Sun, Jun 24, 2012 at 09:42:09PM +0200, Dominick Grift wrote: > > +manage_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) > > +manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) > > +manage_dirs_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) > > +files_tmp_filetrans(dracut_t, dracut_tmp_t, { file lnk_file dir }) > i suspect not all these type transitions are needed. Indeed, dir is sufficient on the type transition. Dracut creates a temporary working directory in /var/tmp in which it pregenerates its initramfs environment. The manage_* stuff needs to be elaborated a bit though (including chr_file support at least). > > +modutils_list_module_config(dracut_t) > redundant this is already allowed with modutils_read_module_config() It's not. In modutils_read_module_config, you have search privileges in the directory, but not listing privileges. Dracut needs listing privileges, as it uses something like "find /etc/modprobe.d" in its internal operations. I could add in list_dirs_pattern() in the modutils_read_module_config(), but then that would enlarge the privileges for other domains that have this (which is about 12 domains on my system). Wkr, Sven Vermeulen ^ permalink raw reply [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH v2 4/5] Grant dracut_manage_tmp_files to domains called by dracut 2012-06-24 18:03 [refpolicy] [PATCH v2 0/5] Support dracut domain Sven Vermeulen ` (2 preceding siblings ...) 2012-06-24 18:04 ` [refpolicy] [PATCH v2 3/5] Adding dracut policy Sven Vermeulen @ 2012-06-24 18:05 ` Sven Vermeulen 2012-06-25 13:44 ` Daniel J Walsh 2012-06-24 18:05 ` [refpolicy] [PATCH v2 5/5] Allow sysadm_t to call dracut and transition to dracut_t Sven Vermeulen 4 siblings, 1 reply; 21+ messages in thread From: Sven Vermeulen @ 2012-06-24 18:05 UTC (permalink / raw) To: refpolicy The dracut application calls, amongst other applications, ldconfig and depmod and gets them to write information in a temporary location created by dracut. This allows those domains manage access to these locations. Write privileges alone were not sufficient as new files were created as well. Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> --- policy/modules/system/libraries.te | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te index 992d105..834b7fe 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -131,6 +131,10 @@ optional_policy(` ') optional_policy(` + dracut_manage_tmp_files(ldconfig_t) +') + +optional_policy(` puppet_rw_tmp(ldconfig_t) ') -- 1.7.3.4 ^ permalink raw reply related [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH v2 4/5] Grant dracut_manage_tmp_files to domains called by dracut 2012-06-24 18:05 ` [refpolicy] [PATCH v2 4/5] Grant dracut_manage_tmp_files to domains called by dracut Sven Vermeulen @ 2012-06-25 13:44 ` Daniel J Walsh 0 siblings, 0 replies; 21+ messages in thread From: Daniel J Walsh @ 2012-06-25 13:44 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/24/2012 02:05 PM, Sven Vermeulen wrote: > The dracut application calls, amongst other applications, ldconfig and > depmod and gets them to write information in a temporary location created > by dracut. This allows those domains manage access to these locations. > > Write privileges alone were not sufficient as new files were created as > well. > > Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> --- > policy/modules/system/libraries.te | 4 ++++ 1 files changed, 4 > insertions(+), 0 deletions(-) > > diff --git a/policy/modules/system/libraries.te > b/policy/modules/system/libraries.te index 992d105..834b7fe 100644 --- > a/policy/modules/system/libraries.te +++ > b/policy/modules/system/libraries.te @@ -131,6 +131,10 @@ > optional_policy(` ') > > optional_policy(` + dracut_manage_tmp_files(ldconfig_t) +') + > +optional_policy(` puppet_rw_tmp(ldconfig_t) ') > > Don't transition to ldconfig_t, it is a crappy domain with little value. Just add the filename trans rules for dacut and then we don't end up with this kind of nonsence. I wish ldconfig_t and consoletype_t... and any other domain invented to maintain labeling would just dissapear, they just generate bug reports without adding any security. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/oazgACgkQrlYvE4MpobNPMQCg1OJ8RGrrsYMa9a+w+JTQEmxI VDEAoNE6D3FgqKlxgLHqRuEPNA0N4wj6 =gp0p -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 21+ messages in thread
* [refpolicy] [PATCH v2 5/5] Allow sysadm_t to call dracut and transition to dracut_t 2012-06-24 18:03 [refpolicy] [PATCH v2 0/5] Support dracut domain Sven Vermeulen ` (3 preceding siblings ...) 2012-06-24 18:05 ` [refpolicy] [PATCH v2 4/5] Grant dracut_manage_tmp_files to domains called by dracut Sven Vermeulen @ 2012-06-24 18:05 ` Sven Vermeulen 4 siblings, 0 replies; 21+ messages in thread From: Sven Vermeulen @ 2012-06-24 18:05 UTC (permalink / raw) To: refpolicy Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> --- policy/modules/roles/sysadm.te | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index bd5a2ea..e5adaad 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -152,6 +152,10 @@ optional_policy(` ') optional_policy(` + dracut_run(sysadm_t, sysadm_r) +') + +optional_policy(` firstboot_run(sysadm_t, sysadm_r) ') -- 1.7.3.4 ^ permalink raw reply related [flat|nested] 21+ messages in thread
end of thread, other threads:[~2012-06-25 20:38 UTC | newest] Thread overview: 21+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2012-06-24 18:03 [refpolicy] [PATCH v2 0/5] Support dracut domain Sven Vermeulen 2012-06-24 18:03 ` [refpolicy] [PATCH v2 1/5] Add read interface for udev rules Sven Vermeulen 2012-06-24 19:28 ` Dominick Grift 2012-06-24 18:04 ` [refpolicy] [PATCH v2 2/5] Support listing module configuration files Sven Vermeulen 2012-06-24 19:32 ` Dominick Grift 2012-06-24 18:04 ` [refpolicy] [PATCH v2 3/5] Adding dracut policy Sven Vermeulen 2012-06-24 19:42 ` Dominick Grift 2012-06-25 8:24 ` Miroslav Grepl 2012-06-25 8:36 ` Dominick Grift 2012-06-25 13:42 ` Daniel J Walsh 2012-06-25 14:35 ` Sven Vermeulen 2012-06-25 14:31 ` Sven Vermeulen 2012-06-25 14:49 ` Dominick Grift 2012-06-25 14:53 ` Dominick Grift 2012-06-25 15:29 ` Daniel J Walsh 2012-06-25 16:29 ` Sven Vermeulen 2012-06-25 16:36 ` Dominick Grift 2012-06-25 20:38 ` Sven Vermeulen 2012-06-24 18:05 ` [refpolicy] [PATCH v2 4/5] Grant dracut_manage_tmp_files to domains called by dracut Sven Vermeulen 2012-06-25 13:44 ` Daniel J Walsh 2012-06-24 18:05 ` [refpolicy] [PATCH v2 5/5] Allow sysadm_t to call dracut and transition to dracut_t Sven Vermeulen
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.