perfinion · jpds · May 13, 2021 · May 13, 2021 · May 13, 2021 · May 13, 2021
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
@@ -229,6 +229,10 @@ optional_policy(`
  cron_system_entry(portage_fetch_t, portage_fetch_exec_t)
 ')
 
+optional_policy(`
+ dracut_run(portage_t, portage_roles)
+')
+
 optional_policy(`
  gpg_spec_domtrans(portage_t, portage_fetch_t)
 ')

diff --git a/policy/modules/contrib/dracut.fc b/policy/modules/contrib/dracut.fc
@@ -1,5 +1,8 @@
+/etc/dracut\.conf -- gen_context(system_u:object_r:dracut_conf_t,s0)
+/etc/dracut\.conf\.d(/.*)? gen_context(system_u:object_r:dracut_conf_t,s0)
 #
 # /usr
 #
-/usr/sbin/dracut -- gen_context(system_u:object_r:dracut_exec_t,s0)
 /usr/bin/dracut -- gen_context(system_u:object_r:dracut_exec_t,s0)
+/usr/lib/dracut/dracut-install -- gen_context(system_u:object_r:dracut_exec_t,s0)
+/usr/sbin/dracut -- gen_context(system_u:object_r:dracut_exec_t,s0)
diff --git a/policy/modules/contrib/dracut.te b/policy/modules/contrib/dracut.te
@@ -4,21 +4,30 @@ type dracut_t;
 type dracut_exec_t;
 application_domain(dracut_t, dracut_exec_t)
 
+type dracut_conf_t;
+files_config_file(dracut_conf_t)
+
 type dracut_var_log_t;
 logging_log_file(dracut_var_log_t)
 
 type dracut_tmp_t;
 files_tmp_file(dracut_tmp_t)
 
+attribute_role dracut_roles;
+role dracut_roles types dracut_t;
+
 ########################################
 #
 # Local policy
 #
-allow dracut_t self:process setfscreate;
-allow dracut_t self:capability dac_override;
+allow dracut_t self:process { getsched setfscreate };
+allow dracut_t self:capability { dac_override dac_read_search fsetid mknod sys_admin };
 allow dracut_t self:fifo_file rw_fifo_file_perms;
 allow dracut_t self:unix_stream_socket create_stream_socket_perms;
 
+list_dirs_pattern(dracut_t, dracut_conf_t, dracut_conf_t)
+read_files_pattern(dracut_t, dracut_conf_t, dracut_conf_t)
+
 manage_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
 manage_dirs_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
 manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
@@ -28,25 +37,40 @@ files_tmp_filetrans(dracut_t, dracut_tmp_t, dir)
 manage_files_pattern(dracut_t, dracut_var_log_t, dracut_var_log_t)
 logging_log_filetrans(dracut_t, dracut_var_log_t, file)
 
+auth_manage_shadow(dracut_t)
+auth_relabelto_shadow(dracut_t)
+
+domain_obj_id_change_exemption(dracut_t)
+domain_role_change_exemption(dracut_t)
+domain_system_change_exemption(dracut_t)
+
 kernel_read_messages(dracut_t)
 kernel_read_system_state(dracut_t)
 
 corecmd_exec_bin(dracut_t)
 corecmd_exec_shell(dracut_t)
 corecmd_mmap_all_executables(dracut_t)
 
+dev_getattr_lvm_control(dracut_t)
+dev_read_lvm_control(dracut_t)
 dev_read_kmsg(dracut_t)
 dev_read_sysfs(dracut_t)
+dev_read_urand(dracut_t)
 
 domain_use_interactive_fds(dracut_t)
 
 files_create_kernel_img(dracut_t)
+files_mmap_read_kernel_modules(dracut_t)
 files_read_etc_files(dracut_t)
 files_read_kernel_modules(dracut_t)
 files_read_usr_files(dracut_t)
 files_search_runtime(dracut_t)
+files_tmp_filetrans(dracut_t, dracut_tmp_t, { file dir })
+files_unconfined(dracut_t)
 
-libs_exec_ldconfig(dracut_t)
+fs_getattr_xattr_fs(dracut_t)
+
+libs_run_ldconfig(dracut_t, dracut_roles)
 libs_exec_ld_so(dracut_t)
 libs_exec_lib_files(dracut_t)
 
@@ -55,6 +79,11 @@ miscfiles_read_localization(dracut_t)
 modutils_read_module_config(dracut_t)
 modutils_read_module_deps(dracut_t)
 
+seutil_relabelto_bin_policy(dracut_t)
+
+storage_getattr_fixed_disk_dev(dracut_t)
+storage_raw_rw_fixed_disk(dracut_t)
+
 udev_read_rules_files(dracut_t)
 
 userdom_search_user_home_dirs(dracut_t)
@@ -64,3 +93,6 @@ optional_policy(`
  lvm_read_config(dracut_t)
 ')
 
+ifdef(`distro_gentoo',`
+ portage_domtrans_gcc_config(dracut_t)
+')