dracut: various fixes

[jpds]

Rules required to make dracut run on an enforcing system.

[github-actions]

This PR has not had any recent activity. It will be closed in 7 days if it makes no further progress.

[github-actions]

Closing stale PR.

[perfinion]

uh these are dangerous permissions. Why does dracut need to manage shadow?

Also I'd need a pretty strong justification if things need the foo_change_exemption() rules, those are usually for things like login managers that need to switch to different users or security levels etc.

sometimes those rules showing up means PAM or chk_passwd stuff. does this instead need auth_use_pam(dracut_t) or maybe auth_use_nsswitch?

I see this line: modules.d/99base/module-setup.sh:33: [[ $hostonly ]] && grep '^root:' "$dracutsysrootdir"/etc/shadow >> "$initdir/etc/shadow" but at the most that should need read_shadow not manage_shadow right?

[jpds]

These are needed because dracut does this:

#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.
#Constraint rule:
#       constrain file { create relabelfrom relabelto } ((u1 == u2 -Fail-)  or (t1 == can_change_object_identity -Fail-) ); Constraint DENIED

#       Possible cause is the source user (staff_u) and target user (system_u) are different.
allow dracut_t modules_object_t:file relabelto;

Also needs manage_shadow as otherwise it hits a neverallow rule with the files_unconfined permission.