From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Mon, 25 Jun 2012 16:31:47 +0200
Subject: [refpolicy] [PATCH v2 3/5] Adding dracut policy
In-Reply-To: <1340566929.8671.10.camel@x220.mydomain.internal>
References: <20120624180258.GA11810@siphos.be>
	<20120624180448.GD11810@siphos.be>
	<1340566929.8671.10.camel@x220.mydomain.internal>
Message-ID: <20120625143147.GA14206@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sun, Jun 24, 2012 at 09:42:09PM +0200, Dominick Grift wrote:
> > +########################################
> > +## <summary>
> > +## 	Allow domain to manage dracut temporary files
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##		Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`dracut_manage_tmp_files',`
> > +	gen_require(`
> > +		type dracut_tmp_t;
> > +	')
> > +
> > +	files_search_var($1)
> > +	files_search_tmp($1)
> > +
> > +	manage_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
> > +	manage_dirs_pattern($1, dracut_tmp_t, dracut_tmp_t)
> > +	read_lnk_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
> > +')
> This isn't what it say's it is. I would probably make it
> dracut_manage_tmp()
> 
> Allow, and dracut in description is obvious, i would make it "Manage
> temporary content"

Ok

> > +manage_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
> > +manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
> > +manage_dirs_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
> > +files_tmp_filetrans(dracut_t, dracut_tmp_t, { file lnk_file dir })
> i suspect not all these type transitions are needed.

I think they were. Dracut generated a temporary directory in which it
positioned whatever information it needed to generate an initramfs. I'm not
sure about the lnk_file, so I'll try again to verify (I'll just add in a
temporary auditallow to make sure locally ;-)

> > +modutils_exec_depmod(dracut_t)
> > +modutils_exec_insmod(dracut_t)
> > +modutils_list_module_config(dracut_t)
> redundant this is already allowed with modutils_read_module_config()

Ok

> > +modutils_read_module_config(dracut_t)
> > +modutils_read_module_deps(dracut_t)
> > +
> > +mount_exec(dracut_t)
> > +
> > +seutil_exec_setfiles(dracut_t)
> So you allow it to run setfiles in the dracut domain, but you dont allow
> the dracut domain to relabelfrom and -to anything?

It's not about executing; dracut uses "ldd" to scan for libraries it needs
in the initramfs. But using "ldd" means that ldd (underlyingly) executes the
files. Hence, the need for _exec (but not for _domtrans or functionality).

Wkr,
	Sven Vermeulen