From: dwalsh@redhat.com (Daniel J Walsh) Date: Mon, 25 Jun 2012 11:29:27 -0400 Subject: [refpolicy] [PATCH v2 3/5] Adding dracut policy In-Reply-To: <1340636009.2003.5.camel@x220.mydomain.internal> References: <20120624180258.GA11810@siphos.be> <20120624180448.GD11810@siphos.be> <1340566929.8671.10.camel@x220.mydomain.internal> <20120625143147.GA14206@siphos.be> <1340635746.2003.2.camel@x220.mydomain.internal> <1340636009.2003.5.camel@x220.mydomain.internal> Message-ID: <4FE883D7.9060808@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/25/2012 10:53 AM, Dominick Grift wrote: > On Mon, 2012-06-25 at 16:49 +0200, Dominick Grift wrote: >>>>> +seutil_exec_setfiles(dracut_t) >>>> So you allow it to run setfiles in the dracut domain, but you dont >>>> allow the dracut domain to relabelfrom and -to anything? >>> >>> It's not about executing; dracut uses "ldd" to scan for libraries it >>> needs in the initramfs. But using "ldd" means that ldd (underlyingly) >>> executes the files. Hence, the need for _exec (but not for _domtrans or >>> functionality). >>> >> >> I think you want mmap ( create a seutil_check_exec_setfiles() or >> something) >> >> mmap provides only execute exec provides execute as well as >> execute_no_trans >> >> i think that , if i understand you correctly, it doesnt need the >> execute_no_trans >> > > but nevertheless, push comes to shove, dracut should probably optionally be > allowed to (really) execute setfiles and be allowed to > dev_relabel_all_devices > > In at least old fedora it mounts /sysroot/dev, restores context of /dev and > then loads policy (if i am not mistaken) > >> > > > _______________________________________________ refpolicy mailing list > refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy > Yes although I think that is being done by systemd or systemd-udev now. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/og9cACgkQrlYvE4MpobOgFQCfc/1HkxLjTKynRsy9qtG8LaN+ ZRwAnA6TgB/A1Z3Mv6m7Gv5yJZXwql12 =J4oz -----END PGP SIGNATURE-----