From: dominick.grift@gmail.com (Dominick Grift)
Date: Mon, 25 Jun 2012 16:49:06 +0200
Subject: [refpolicy] [PATCH v2 3/5] Adding dracut policy
In-Reply-To: <20120625143147.GA14206@siphos.be>
References: <20120624180258.GA11810@siphos.be>
	<20120624180448.GD11810@siphos.be>
	<1340566929.8671.10.camel@x220.mydomain.internal>
	<20120625143147.GA14206@siphos.be>
Message-ID: <1340635746.2003.2.camel@x220.mydomain.internal>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com


> > > +seutil_exec_setfiles(dracut_t)
> > So you allow it to run setfiles in the dracut domain, but you dont allow
> > the dracut domain to relabelfrom and -to anything?
> 
> It's not about executing; dracut uses "ldd" to scan for libraries it needs
> in the initramfs. But using "ldd" means that ldd (underlyingly) executes the
> files. Hence, the need for _exec (but not for _domtrans or functionality).
> 

I think you want mmap ( create a seutil_check_exec_setfiles() or
something)

mmap provides only execute
exec provides execute as well as execute_no_trans

i think that , if i understand you correctly, it doesnt need the
execute_no_trans