From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH v2 4/5] Grant dracut_manage_tmp_files to domains called by dracut
Date: Mon, 25 Jun 2012 09:44:24 -0400 [thread overview]
Message-ID: <4FE86B38.4070902@redhat.com> (raw)
In-Reply-To: <20120624180514.GE11810@siphos.be>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/24/2012 02:05 PM, Sven Vermeulen wrote:
> The dracut application calls, amongst other applications, ldconfig and
> depmod and gets them to write information in a temporary location created
> by dracut. This allows those domains manage access to these locations.
>
> Write privileges alone were not sufficient as new files were created as
> well.
>
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be> ---
> policy/modules/system/libraries.te | 4 ++++ 1 files changed, 4
> insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/system/libraries.te
> b/policy/modules/system/libraries.te index 992d105..834b7fe 100644 ---
> a/policy/modules/system/libraries.te +++
> b/policy/modules/system/libraries.te @@ -131,6 +131,10 @@
> optional_policy(` ')
>
> optional_policy(` + dracut_manage_tmp_files(ldconfig_t) +') +
> +optional_policy(` puppet_rw_tmp(ldconfig_t) ')
>
>
Don't transition to ldconfig_t, it is a crappy domain with little value. Just
add the filename trans rules for dacut and then we don't end up with this kind
of nonsence.
I wish ldconfig_t and consoletype_t... and any other domain invented to
maintain labeling would just dissapear, they just generate bug reports without
adding any security.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk/oazgACgkQrlYvE4MpobNPMQCg1OJ8RGrrsYMa9a+w+JTQEmxI
VDEAoNE6D3FgqKlxgLHqRuEPNA0N4wj6
=gp0p
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2012-06-25 13:44 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-24 18:03 [refpolicy] [PATCH v2 0/5] Support dracut domain Sven Vermeulen
2012-06-24 18:03 ` [refpolicy] [PATCH v2 1/5] Add read interface for udev rules Sven Vermeulen
2012-06-24 19:28 ` Dominick Grift
2012-06-24 18:04 ` [refpolicy] [PATCH v2 2/5] Support listing module configuration files Sven Vermeulen
2012-06-24 19:32 ` Dominick Grift
2012-06-24 18:04 ` [refpolicy] [PATCH v2 3/5] Adding dracut policy Sven Vermeulen
2012-06-24 19:42 ` Dominick Grift
2012-06-25 8:24 ` Miroslav Grepl
2012-06-25 8:36 ` Dominick Grift
2012-06-25 13:42 ` Daniel J Walsh
2012-06-25 14:35 ` Sven Vermeulen
2012-06-25 14:31 ` Sven Vermeulen
2012-06-25 14:49 ` Dominick Grift
2012-06-25 14:53 ` Dominick Grift
2012-06-25 15:29 ` Daniel J Walsh
2012-06-25 16:29 ` Sven Vermeulen
2012-06-25 16:36 ` Dominick Grift
2012-06-25 20:38 ` Sven Vermeulen
2012-06-24 18:05 ` [refpolicy] [PATCH v2 4/5] Grant dracut_manage_tmp_files to domains called by dracut Sven Vermeulen
2012-06-25 13:44 ` Daniel J Walsh [this message]
2012-06-24 18:05 ` [refpolicy] [PATCH v2 5/5] Allow sysadm_t to call dracut and transition to dracut_t Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FE86B38.4070902@redhat.com \
--to=dwalsh@redhat.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.