From: dwalsh@redhat.com (Daniel J Walsh) Date: Mon, 25 Jun 2012 09:44:24 -0400 Subject: [refpolicy] [PATCH v2 4/5] Grant dracut_manage_tmp_files to domains called by dracut In-Reply-To: <20120624180514.GE11810@siphos.be> References: <20120624180258.GA11810@siphos.be> <20120624180514.GE11810@siphos.be> Message-ID: <4FE86B38.4070902@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/24/2012 02:05 PM, Sven Vermeulen wrote: > The dracut application calls, amongst other applications, ldconfig and > depmod and gets them to write information in a temporary location created > by dracut. This allows those domains manage access to these locations. > > Write privileges alone were not sufficient as new files were created as > well. > > Signed-off-by: Sven Vermeulen --- > policy/modules/system/libraries.te | 4 ++++ 1 files changed, 4 > insertions(+), 0 deletions(-) > > diff --git a/policy/modules/system/libraries.te > b/policy/modules/system/libraries.te index 992d105..834b7fe 100644 --- > a/policy/modules/system/libraries.te +++ > b/policy/modules/system/libraries.te @@ -131,6 +131,10 @@ > optional_policy(` ') > > optional_policy(` + dracut_manage_tmp_files(ldconfig_t) +') + > +optional_policy(` puppet_rw_tmp(ldconfig_t) ') > > Don't transition to ldconfig_t, it is a crappy domain with little value. Just add the filename trans rules for dacut and then we don't end up with this kind of nonsence. I wish ldconfig_t and consoletype_t... and any other domain invented to maintain labeling would just dissapear, they just generate bug reports without adding any security. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/oazgACgkQrlYvE4MpobNPMQCg1OJ8RGrrsYMa9a+w+JTQEmxI VDEAoNE6D3FgqKlxgLHqRuEPNA0N4wj6 =gp0p -----END PGP SIGNATURE-----