From: guido@trentalancia.net (Guido Trentalancia) Date: Fri, 30 Dec 2016 22:06:14 +0100 Subject: [refpolicy] [PATCH] init: update the initrc_t domain policy In-Reply-To: References: <1483051782.12123.10.camel@trentalancia.net> <1483128556.3970.14.camel@trentalancia.net> <4ec4885b-4406-0b74-fe06-2a70238cdcb0@gmail.com> <1483129169.3970.21.camel@trentalancia.net> <29718ae9-d4b8-01fa-65c3-cf1d17cf4bbc@gmail.com> <1483131007.2613.1.camel@trentalancia.net> Message-ID: <1483131974.2893.1.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 30/12/2016 at 21.52 +0100, Dominick Grift via refpolicy wrote: > On 12/30/2016 09:50 PM, Guido Trentalancia via refpolicy wrote: [...] > > > > > > > > > > > > > > > > > > +# plymouth > > > > > > > > > +kernel_stream_connect(initrc_t) > > > > > > > > > > > > > > > > Plymouth has a domain, so this seems unnecessary. > > > > > > > > > > > > > > Plymouthd is running from initramfs before policy is > > > > > > > loaded. > > > > > > > So > > > > > > > once > > > > > > > the > > > > > > > policy gets loaded and root is switched the kernel isid > > > > > > > kicks > > > > > > > in > > > > > > > and > > > > > > > associates kernel_t with the process > > > > > > > > > > > > Yes, I confirm. Plymouthd is running in the kernel_t domain > > > > > > because > > > > > > it > > > > > > is started before the policy is loaded. > > > > > > > > > > > > > > > > The question is then what is running in initrc_t in that > > > > > event? > > > > > is it > > > > > the plymouth client stream connecting to plymouthd? > > > > > > > > > > is the plymouth client an init_system_domain()? > > > > > > > > The comment is misleading in some sense. It's plymouthd, I > > > > wrote > > > > "plymouth" referring to the package. > > > > > > > > I'll fix the comment in the next version. > > > > > > Yes ok, but then why does a process associated with initrc_t need > > > to > > > stream connect to it? > > > > > > what is that process running in initrc_t? > > > > It's actually the other way around. The comment is correct. > > > > The client is eventually running in initrc_t... > > > > Such permission is absolutely necessary for the correct functioning > > of > > the plymouth terminal interface. > > ok then i believe you should instead add: > > init_system_domain(plymouth_t, plymouth_exec_t) > > or somthing along those lines Yes, the above works and is the correct solution, thanks for the tip. This leads to a new patch for the plymouth module... Regards, Guido