From: sven.vermeulen@siphos.be (Sven Vermeulen)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH v2 3/5] Adding dracut policy
Date: Mon, 25 Jun 2012 16:31:47 +0200 [thread overview]
Message-ID: <20120625143147.GA14206@siphos.be> (raw)
In-Reply-To: <1340566929.8671.10.camel@x220.mydomain.internal>
On Sun, Jun 24, 2012 at 09:42:09PM +0200, Dominick Grift wrote:
> > +########################################
> > +## <summary>
> > +## Allow domain to manage dracut temporary files
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`dracut_manage_tmp_files',`
> > + gen_require(`
> > + type dracut_tmp_t;
> > + ')
> > +
> > + files_search_var($1)
> > + files_search_tmp($1)
> > +
> > + manage_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
> > + manage_dirs_pattern($1, dracut_tmp_t, dracut_tmp_t)
> > + read_lnk_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
> > +')
> This isn't what it say's it is. I would probably make it
> dracut_manage_tmp()
>
> Allow, and dracut in description is obvious, i would make it "Manage
> temporary content"
Ok
> > +manage_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
> > +manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
> > +manage_dirs_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
> > +files_tmp_filetrans(dracut_t, dracut_tmp_t, { file lnk_file dir })
> i suspect not all these type transitions are needed.
I think they were. Dracut generated a temporary directory in which it
positioned whatever information it needed to generate an initramfs. I'm not
sure about the lnk_file, so I'll try again to verify (I'll just add in a
temporary auditallow to make sure locally ;-)
> > +modutils_exec_depmod(dracut_t)
> > +modutils_exec_insmod(dracut_t)
> > +modutils_list_module_config(dracut_t)
> redundant this is already allowed with modutils_read_module_config()
Ok
> > +modutils_read_module_config(dracut_t)
> > +modutils_read_module_deps(dracut_t)
> > +
> > +mount_exec(dracut_t)
> > +
> > +seutil_exec_setfiles(dracut_t)
> So you allow it to run setfiles in the dracut domain, but you dont allow
> the dracut domain to relabelfrom and -to anything?
It's not about executing; dracut uses "ldd" to scan for libraries it needs
in the initramfs. But using "ldd" means that ldd (underlyingly) executes the
files. Hence, the need for _exec (but not for _domtrans or functionality).
Wkr,
Sven Vermeulen
next prev parent reply other threads:[~2012-06-25 14:31 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-24 18:03 [refpolicy] [PATCH v2 0/5] Support dracut domain Sven Vermeulen
2012-06-24 18:03 ` [refpolicy] [PATCH v2 1/5] Add read interface for udev rules Sven Vermeulen
2012-06-24 19:28 ` Dominick Grift
2012-06-24 18:04 ` [refpolicy] [PATCH v2 2/5] Support listing module configuration files Sven Vermeulen
2012-06-24 19:32 ` Dominick Grift
2012-06-24 18:04 ` [refpolicy] [PATCH v2 3/5] Adding dracut policy Sven Vermeulen
2012-06-24 19:42 ` Dominick Grift
2012-06-25 8:24 ` Miroslav Grepl
2012-06-25 8:36 ` Dominick Grift
2012-06-25 13:42 ` Daniel J Walsh
2012-06-25 14:35 ` Sven Vermeulen
2012-06-25 14:31 ` Sven Vermeulen [this message]
2012-06-25 14:49 ` Dominick Grift
2012-06-25 14:53 ` Dominick Grift
2012-06-25 15:29 ` Daniel J Walsh
2012-06-25 16:29 ` Sven Vermeulen
2012-06-25 16:36 ` Dominick Grift
2012-06-25 20:38 ` Sven Vermeulen
2012-06-24 18:05 ` [refpolicy] [PATCH v2 4/5] Grant dracut_manage_tmp_files to domains called by dracut Sven Vermeulen
2012-06-25 13:44 ` Daniel J Walsh
2012-06-24 18:05 ` [refpolicy] [PATCH v2 5/5] Allow sysadm_t to call dracut and transition to dracut_t Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120625143147.GA14206@siphos.be \
--to=sven.vermeulen@siphos.be \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.