From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Thu, 5 Jan 2012 20:28:31 +0100
Subject: [refpolicy] [PATCH 3/5] Adding dracut policy
In-Reply-To: <20120104200247.GD6512@siphos.be>
References: <20120104200014.GA6512@siphos.be> <20120104200247.GD6512@siphos.be>
Message-ID: <20120105192831.GA29115@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, Jan 04, 2012 at 09:02:47PM +0100, Sven Vermeulen wrote:
> Running dracut out of the sysadm_t domain doesn't (fully) work on a policy without unconfined domains. The calls to depmod,
> whose output is then directed to a tmp location, is denied through this. Instead of granting depmod (and other tools)
> "manage" access to user_tmp_t, we create a separate domain for dracut (called dracut_t) and grant these tools management
> access to dracut_tmp_t.
[...]

Looks like I was a bit too overzealous here, many of the _domtrans can
actually be changed to _exec calls. They are never really executed, but used
by ldd (which does mean the files are somewhat executed, hence the reports)
to find out which libraries need to be pulled in as well.

I'll draft up a new patch "batch" soon when I've cleaned those out.

Wkr,
	Sven Vermeulen