From: guido@trentalancia.net (Guido Trentalancia) Date: Fri, 30 Dec 2016 21:19:29 +0100 Subject: [refpolicy] [PATCH] init: update the initrc_t domain policy In-Reply-To: <4ec4885b-4406-0b74-fe06-2a70238cdcb0@gmail.com> References: <1483051782.12123.10.camel@trentalancia.net> <1483128556.3970.14.camel@trentalancia.net> <4ec4885b-4406-0b74-fe06-2a70238cdcb0@gmail.com> Message-ID: <1483129169.3970.21.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 30/12/2016 at 21.12 +0100, Dominick Grift via refpolicy wrote: > On 12/30/2016 09:09 PM, Guido Trentalancia via refpolicy wrote: > > > > On Fri, 30/12/2016 at 21.01 +0100, Dominick Grift via refpolicy > > wrote: > > > > > > On 12/30/2016 08:30 PM, Chris PeBenito via refpolicy wrote: > > > > > > > > > > > > On 12/29/16 17:49, Guido Trentalancia via refpolicy wrote: > > > > > > > > > > > > > > > Update the initrc_t domain policy in the init module with > > > > > some > > > > > missing permissions. > > > > > > > > > > Signed-off-by: Guido Trentalancia > > > > > --- > > > > > ?policy/modules/kernel/terminal.if |???21 > > > > > +++++++++++++++++++++ > > > > > ?policy/modules/system/init.te?????|???19 +++++++++++++++++-- > > > > > ?2 files changed, 38 insertions(+), 2 deletions(-) [...] > > > > > +# plymouth > > > > > +kernel_stream_connect(initrc_t) > > > > > > > > Plymouth has a domain, so this seems unnecessary. > > > > > > Plymouthd is running from initramfs before policy is loaded. So > > > once > > > the > > > policy gets loaded and root is switched the kernel isid kicks in > > > and > > > associates kernel_t with the process > > > > Yes, I confirm. Plymouthd is running in the kernel_t domain because > > it > > is started before the policy is loaded. > > > > The question is then what is running in initrc_t in that event? is it > the plymouth client stream connecting to plymouthd? > > is the plymouth client an init_system_domain()? The comment is misleading in some sense. It's plymouthd, I wrote "plymouth" referring to the package. I'll fix the comment in the next version. Regards, Guido