From: guido@trentalancia.net (Guido Trentalancia)
Date: Fri, 30 Dec 2016 22:06:14 +0100
Subject: [refpolicy] [PATCH] init: update the initrc_t domain policy
In-Reply-To: <eb80128e-c5fd-69ad-d754-b73e57c4c3de@gmail.com>
References: <1483051782.12123.10.camel@trentalancia.net>
	<c08dd357-9db1-d005-6e80-4234dd52c87d@ieee.org>
	<c3317e74-accc-77bb-d7a8-d28aa4a50d2d@gmail.com>
	<1483128556.3970.14.camel@trentalancia.net>
	<4ec4885b-4406-0b74-fe06-2a70238cdcb0@gmail.com>
	<1483129169.3970.21.camel@trentalancia.net>
	<29718ae9-d4b8-01fa-65c3-cf1d17cf4bbc@gmail.com>
	<1483131007.2613.1.camel@trentalancia.net>
	<eb80128e-c5fd-69ad-d754-b73e57c4c3de@gmail.com>
Message-ID: <1483131974.2893.1.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, 30/12/2016 at 21.52 +0100, Dominick Grift via refpolicy wrote:
> On 12/30/2016 09:50 PM, Guido Trentalancia via refpolicy wrote:

[...]

> > > > > > > > > 
> > > > > > > > > +# plymouth
> > > > > > > > > +kernel_stream_connect(initrc_t)
> > > > > > > > 
> > > > > > > > Plymouth has a domain, so this seems unnecessary.
> > > > > > > 
> > > > > > > Plymouthd is running from initramfs before policy is
> > > > > > > loaded.
> > > > > > > So
> > > > > > > once
> > > > > > > the
> > > > > > > policy gets loaded and root is switched the kernel isid
> > > > > > > kicks
> > > > > > > in
> > > > > > > and
> > > > > > > associates kernel_t with the process
> > > > > > 
> > > > > > Yes, I confirm. Plymouthd is running in the kernel_t domain
> > > > > > because
> > > > > > it
> > > > > > is started before the policy is loaded.
> > > > > > 
> > > > > 
> > > > > The question is then what is running in initrc_t in that
> > > > > event?
> > > > > is it
> > > > > the plymouth client stream connecting to plymouthd?
> > > > > 
> > > > > is the plymouth client an init_system_domain()?
> > > > 
> > > > The comment is misleading in some sense. It's plymouthd, I
> > > > wrote
> > > > "plymouth" referring to the package.
> > > > 
> > > > I'll fix the comment in the next version.
> > > 
> > > Yes ok, but then why does a process associated with initrc_t need
> > > to
> > > stream connect to it?
> > > 
> > > what is that process running in initrc_t?
> > 
> > It's actually the other way around. The comment is correct.
> > 
> > The client is eventually running in initrc_t...
> > 
> > Such permission is absolutely necessary for the correct functioning
> > of
> > the plymouth terminal interface.
> 
> ok then i believe you should instead add:
> 
> init_system_domain(plymouth_t, plymouth_exec_t)
> 
> or somthing along those lines

Yes, the above works and is the correct solution, thanks for the tip.

This leads to a new patch for the plymouth module...

Regards,

Guido