From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Mon, 25 Jun 2012 18:29:11 +0200
Subject: [refpolicy] [PATCH v2 3/5] Adding dracut policy
In-Reply-To: <1340636009.2003.5.camel@x220.mydomain.internal>
References: <20120624180258.GA11810@siphos.be>
	<20120624180448.GD11810@siphos.be>
	<1340566929.8671.10.camel@x220.mydomain.internal>
	<20120625143147.GA14206@siphos.be>
	<1340635746.2003.2.camel@x220.mydomain.internal>
	<1340636009.2003.5.camel@x220.mydomain.internal>
Message-ID: <20120625162910.GA16311@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, Jun 25, 2012 at 04:53:29PM +0200, Dominick Grift wrote:
> > I think you want mmap ( create a seutil_check_exec_setfiles() or
> > something)
> > 
> > mmap provides only execute
> > exec provides execute as well as execute_no_trans
> > 
> > i think that , if i understand you correctly, it doesnt need the
> > execute_no_trans
> > 
> 
> but nevertheless, push comes to shove, dracut should probably optionally
> be allowed to (really) execute setfiles and be allowed to
> dev_relabel_all_devices
> 
> In at least old fedora it mounts /sysroot/dev, restores context of /dev
> and then loads policy (if i am not mistaken)

Thanks for the mmap hint, didn't know there was something like that.

Regarding the policy allowing executing - dracut_t is about the dracut
application. The initramfs itself doesn't run in dracut_t, but in init_t or
kernel_t (depending on when the policy itself is loaded)...

Wkr,
	Sven Vermeulen