From: dwalsh@redhat.com (Daniel J Walsh)
Date: Mon, 25 Jun 2012 09:42:26 -0400
Subject: [refpolicy] [PATCH v2 3/5] Adding dracut policy
In-Reply-To: <1340613382.15451.2.camel@x220.mydomain.internal>
References: <20120624180258.GA11810@siphos.be>
	<20120624180448.GD11810@siphos.be>
	<1340566929.8671.10.camel@x220.mydomain.internal>
	<4FE82038.7070707@redhat.com>
	<1340613382.15451.2.camel@x220.mydomain.internal>
Message-ID: <4FE86AC2.9080809@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/25/2012 04:36 AM, Dominick Grift wrote:
> On Mon, 2012-06-25 at 10:24 +0200, Miroslav Grepl wrote:
> 
>>>> +seutil_exec_setfiles(dracut_t)
>>> So you allow it to run setfiles in the dracut domain, but you dont
>>> allow the dracut domain to relabelfrom and -to anything?
>> I believe dracut should stay as unconfined domain. Also you probably will
>> see other domains which are want to execute dracut. And I would think
>> transitions will be needed rather than just execute apps in the dracut
>> domain.
> 
> But what about MLS? MLS doesnt have the luxury of unconfined domains.
> 
> Also its easy enough to append unconfined_domain(dracut_t) for stable 
> releases only and in the meantime try to perfect the confined dracut domain
> in test releases as much as possible.
> 
> 
> 
> _______________________________________________ refpolicy mailing list 
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
> 
If we are only going to allow dracut to fix the labels on /dev and /run you
can add the rules for relabelfrom/relabelto,  If it needs to do more maybe a
transition to setfiles_t is necessary.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/oasIACgkQrlYvE4MpobPBdACgy4uhK1mxovyBhzgqcJA9OZTc
NX4AoI5Le6yrK8B9b3VmCvQNlgjN5e1J
=77/O
-----END PGP SIGNATURE-----