From: dominick.grift@gmail.com (Dominick Grift)
Date: Mon, 25 Jun 2012 18:36:26 +0200
Subject: [refpolicy] [PATCH v2 3/5] Adding dracut policy
In-Reply-To: <20120625162910.GA16311@siphos.be>
References: <20120624180258.GA11810@siphos.be>
	<20120624180448.GD11810@siphos.be>
	<1340566929.8671.10.camel@x220.mydomain.internal>
	<20120625143147.GA14206@siphos.be>
	<1340635746.2003.2.camel@x220.mydomain.internal>
	<1340636009.2003.5.camel@x220.mydomain.internal>
	<20120625162910.GA16311@siphos.be>
Message-ID: <1340642186.2003.6.camel@x220.mydomain.internal>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

     A. On Mon, 2012-06-25 at 18:29 +0200, Sven Vermeulen wrote:
> On Mon, Jun 25, 2012 at 04:53:29PM +0200, Dominick Grift wrote:
> > > I think you want mmap ( create a seutil_check_exec_setfiles() or
> > > something)
> > > 
> > > mmap provides only execute
> > > exec provides execute as well as execute_no_trans
> > > 
> > > i think that , if i understand you correctly, it doesnt need the
> > > execute_no_trans
> > > 
> > 
> > but nevertheless, push comes to shove, dracut should probably optionally
> > be allowed to (really) execute setfiles and be allowed to
> > dev_relabel_all_devices
> > 
> > In at least old fedora it mounts /sysroot/dev, restores context of /dev
> > and then loads policy (if i am not mistaken)
> 
> Thanks for the mmap hint, didn't know there was something like that.
> 
> Regarding the policy allowing executing - dracut_t is about the dracut
> application. The initramfs itself doesn't run in dracut_t, but in init_t or
> kernel_t (depending on when the policy itself is loaded)...

Whoops yes thats right, kernel_t i guess...