From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Mon, 25 Jun 2012 16:31:47 +0200
Subject: [refpolicy] [PATCH v2 3/5] Adding dracut policy
In-Reply-To: <1340566929.8671.10.camel@x220.mydomain.internal>
References: <20120624180258.GA11810@siphos.be>
<20120624180448.GD11810@siphos.be>
<1340566929.8671.10.camel@x220.mydomain.internal>
Message-ID: <20120625143147.GA14206@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On Sun, Jun 24, 2012 at 09:42:09PM +0200, Dominick Grift wrote:
> > +########################################
> > +##
> > +## Allow domain to manage dracut temporary files
> > +##
> > +##
> > +##
> > +## Domain allowed access.
> > +##
> > +##
> > +#
> > +interface(`dracut_manage_tmp_files',`
> > + gen_require(`
> > + type dracut_tmp_t;
> > + ')
> > +
> > + files_search_var($1)
> > + files_search_tmp($1)
> > +
> > + manage_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
> > + manage_dirs_pattern($1, dracut_tmp_t, dracut_tmp_t)
> > + read_lnk_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
> > +')
> This isn't what it say's it is. I would probably make it
> dracut_manage_tmp()
>
> Allow, and dracut in description is obvious, i would make it "Manage
> temporary content"
Ok
> > +manage_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
> > +manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
> > +manage_dirs_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
> > +files_tmp_filetrans(dracut_t, dracut_tmp_t, { file lnk_file dir })
> i suspect not all these type transitions are needed.
I think they were. Dracut generated a temporary directory in which it
positioned whatever information it needed to generate an initramfs. I'm not
sure about the lnk_file, so I'll try again to verify (I'll just add in a
temporary auditallow to make sure locally ;-)
> > +modutils_exec_depmod(dracut_t)
> > +modutils_exec_insmod(dracut_t)
> > +modutils_list_module_config(dracut_t)
> redundant this is already allowed with modutils_read_module_config()
Ok
> > +modutils_read_module_config(dracut_t)
> > +modutils_read_module_deps(dracut_t)
> > +
> > +mount_exec(dracut_t)
> > +
> > +seutil_exec_setfiles(dracut_t)
> So you allow it to run setfiles in the dracut domain, but you dont allow
> the dracut domain to relabelfrom and -to anything?
It's not about executing; dracut uses "ldd" to scan for libraries it needs
in the initramfs. But using "ldd" means that ldd (underlyingly) executes the
files. Hence, the need for _exec (but not for _domtrans or functionality).
Wkr,
Sven Vermeulen