From: dominick.grift@gmail.com (Dominick Grift)
Date: Mon, 25 Jun 2012 10:36:22 +0200
Subject: [refpolicy] [PATCH v2 3/5] Adding dracut policy
In-Reply-To: <4FE82038.7070707@redhat.com>
References: <20120624180258.GA11810@siphos.be>
	<20120624180448.GD11810@siphos.be>
	<1340566929.8671.10.camel@x220.mydomain.internal>
	<4FE82038.7070707@redhat.com>
Message-ID: <1340613382.15451.2.camel@x220.mydomain.internal>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 2012-06-25 at 10:24 +0200, Miroslav Grepl wrote:

> >> +seutil_exec_setfiles(dracut_t)
> > So you allow it to run setfiles in the dracut domain, but you dont allow
> > the dracut domain to relabelfrom and -to anything?
> I believe dracut should stay as unconfined domain. Also you probably 
> will see other domains which are want to execute dracut. And I would 
> think transitions will be needed rather than just execute apps in the 
> dracut domain.

But what about MLS? MLS doesnt have the luxury of unconfined domains.

Also its easy enough to append unconfined_domain(dracut_t) for stable
releases only and in the meantime try to perfect the confined dracut
domain in test releases as much as possible.