From: dominick.grift@gmail.com (Dominick Grift)
Date: Mon, 25 Jun 2012 16:53:29 +0200
Subject: [refpolicy] [PATCH v2 3/5] Adding dracut policy
In-Reply-To: <1340635746.2003.2.camel@x220.mydomain.internal>
References: <20120624180258.GA11810@siphos.be>
	<20120624180448.GD11810@siphos.be>
	<1340566929.8671.10.camel@x220.mydomain.internal>
	<20120625143147.GA14206@siphos.be>
	<1340635746.2003.2.camel@x220.mydomain.internal>
Message-ID: <1340636009.2003.5.camel@x220.mydomain.internal>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 2012-06-25 at 16:49 +0200, Dominick Grift wrote:
> > > > +seutil_exec_setfiles(dracut_t)
> > > So you allow it to run setfiles in the dracut domain, but you dont allow
> > > the dracut domain to relabelfrom and -to anything?
> > 
> > It's not about executing; dracut uses "ldd" to scan for libraries it needs
> > in the initramfs. But using "ldd" means that ldd (underlyingly) executes the
> > files. Hence, the need for _exec (but not for _domtrans or functionality).
> > 
> 
> I think you want mmap ( create a seutil_check_exec_setfiles() or
> something)
> 
> mmap provides only execute
> exec provides execute as well as execute_no_trans
> 
> i think that , if i understand you correctly, it doesnt need the
> execute_no_trans
> 

but nevertheless, push comes to shove, dracut should probably optionally
be allowed to (really) execute setfiles and be allowed to
dev_relabel_all_devices

In at least old fedora it mounts /sysroot/dev, restores context of /dev
and then loads policy (if i am not mistaken)

>