From: guido@trentalancia.net (Guido Trentalancia) Date: Fri, 30 Dec 2016 21:50:07 +0100 Subject: [refpolicy] [PATCH] init: update the initrc_t domain policy In-Reply-To: <29718ae9-d4b8-01fa-65c3-cf1d17cf4bbc@gmail.com> References: <1483051782.12123.10.camel@trentalancia.net> <1483128556.3970.14.camel@trentalancia.net> <4ec4885b-4406-0b74-fe06-2a70238cdcb0@gmail.com> <1483129169.3970.21.camel@trentalancia.net> <29718ae9-d4b8-01fa-65c3-cf1d17cf4bbc@gmail.com> Message-ID: <1483131007.2613.1.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 30/12/2016 at 21.20 +0100, Dominick Grift via refpolicy wrote: > On 12/30/2016 09:19 PM, Guido Trentalancia via refpolicy wrote: > > > > On Fri, 30/12/2016 at 21.12 +0100, Dominick Grift via refpolicy > > wrote: > > > > > > On 12/30/2016 09:09 PM, Guido Trentalancia via refpolicy wrote: > > > > > > > > > > > > On Fri, 30/12/2016 at 21.01 +0100, Dominick Grift via refpolicy > > > > wrote: > > > > > > > > > > > > > > > On 12/30/2016 08:30 PM, Chris PeBenito via refpolicy wrote: > > > > > > > > > > > > > > > > > > > > > > > > On 12/29/16 17:49, Guido Trentalancia via refpolicy wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > Update the initrc_t domain policy in the init module with > > > > > > > some > > > > > > > missing permissions. > > > > > > > > > > > > > > Signed-off-by: Guido Trentalancia > > > > > > > > > > > > > > --- > > > > > > > ?policy/modules/kernel/terminal.if |???21 > > > > > > > +++++++++++++++++++++ > > > > > > > ?policy/modules/system/init.te?????|???19 > > > > > > > +++++++++++++++++-- > > > > > > > ?2 files changed, 38 insertions(+), 2 deletions(-) > > > > [...] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > +# plymouth > > > > > > > +kernel_stream_connect(initrc_t) > > > > > > > > > > > > Plymouth has a domain, so this seems unnecessary. > > > > > > > > > > Plymouthd is running from initramfs before policy is loaded. > > > > > So > > > > > once > > > > > the > > > > > policy gets loaded and root is switched the kernel isid kicks > > > > > in > > > > > and > > > > > associates kernel_t with the process > > > > > > > > Yes, I confirm. Plymouthd is running in the kernel_t domain > > > > because > > > > it > > > > is started before the policy is loaded. > > > > > > > > > > The question is then what is running in initrc_t in that event? > > > is it > > > the plymouth client stream connecting to plymouthd? > > > > > > is the plymouth client an init_system_domain()? > > > > The comment is misleading in some sense. It's plymouthd, I wrote > > "plymouth" referring to the package. > > > > I'll fix the comment in the next version. > > Yes ok, but then why does a process associated with initrc_t need to > stream connect to it? > > what is that process running in initrc_t? It's actually the other way around. The comment is correct. The client is eventually running in initrc_t... Such permission is absolutely necessary for the correct functioning of the plymouth terminal interface. Regards, Guido