From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Mon, 25 Jun 2012 22:38:18 +0200
Subject: [refpolicy] [PATCH v2 3/5] Adding dracut policy
In-Reply-To: <1340566929.8671.10.camel@x220.mydomain.internal>
References: <20120624180258.GA11810@siphos.be>
	<20120624180448.GD11810@siphos.be>
	<1340566929.8671.10.camel@x220.mydomain.internal>
Message-ID: <20120625203817.GA11550@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sun, Jun 24, 2012 at 09:42:09PM +0200, Dominick Grift wrote:
> > +manage_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
> > +manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
> > +manage_dirs_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
> > +files_tmp_filetrans(dracut_t, dracut_tmp_t, { file lnk_file dir })
> i suspect not all these type transitions are needed.

Indeed, dir is sufficient on the type transition. Dracut creates a temporary
working directory in /var/tmp in which it pregenerates its initramfs
environment.

The manage_* stuff needs to be elaborated a bit though (including chr_file
support at least).

> > +modutils_list_module_config(dracut_t)
> redundant this is already allowed with modutils_read_module_config()

It's not.

In modutils_read_module_config, you have search privileges in the directory,
but not listing privileges. Dracut needs listing privileges, as it uses
something like "find /etc/modprobe.d" in its internal operations.

I could add in list_dirs_pattern() in the modutils_read_module_config(), but
then that would enlarge the privileges for other domains that have this
(which is about 12 domains on my system).

Wkr,
	Sven Vermeulen