dracut: various fixes#19
Conversation
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
|
This PR has not had any recent activity. It will be closed in 7 days if it makes no further progress. |
|
Closing stale PR. |
| auth_manage_shadow(dracut_t) | ||
| auth_relabelto_shadow(dracut_t) | ||
|
|
||
| domain_obj_id_change_exemption(dracut_t) | ||
| domain_role_change_exemption(dracut_t) | ||
| domain_system_change_exemption(dracut_t) |
There was a problem hiding this comment.
uh these are dangerous permissions. Why does dracut need to manage shadow?
Also I'd need a pretty strong justification if things need the foo_change_exemption() rules, those are usually for things like login managers that need to switch to different users or security levels etc.
sometimes those rules showing up means PAM or chk_passwd stuff. does this instead need auth_use_pam(dracut_t) or maybe auth_use_nsswitch?
I see this line: modules.d/99base/module-setup.sh:33: [[ $hostonly ]] && grep '^root:' "$dracutsysrootdir"/etc/shadow >> "$initdir/etc/shadow" but at the most that should need read_shadow not manage_shadow right?
There was a problem hiding this comment.
These are needed because dracut does this:
#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
# constrain file { create relabelfrom relabelto } ((u1 == u2 -Fail-) or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED
# Possible cause is the source user (staff_u) and target user (system_u) are different.
allow dracut_t modules_object_t:file relabelto;
Also needs manage_shadow as otherwise it hits a neverallow rule with the files_unconfined permission.
Rules required to make dracut run on an enforcing system.