Skip to content

Add a policy for installkernel and dracut #1063

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
0xC0ncord wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Add a policy for installkernel and dracut #1063

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
4863921
installkernel: initial policy
0xC0ncord Jun 29, 2025
3375445
dracut: initial import from Gentoo
0xC0ncord Jun 29, 2025
60c60c6
dracut: cleanup
0xC0ncord Jun 29, 2025
d7fbf87
dracut: various fixes
0xC0ncord Jun 29, 2025
77811bc
testing: allow dracut_t to use CAP_SYS_ADMIN
0xC0ncord Jun 29, 2025
88e9a96
udev: allow rule readers runtime rules access
0xC0ncord Jan 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions policy/modules/admin/dracut.fc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
/usr/sbin/dracut -- gen_context(system_u:object_r:dracut_exec_t,s0)
/usr/bin/dracut -- gen_context(system_u:object_r:dracut_exec_t,s0)
66 changes: 66 additions & 0 deletions policy/modules/admin/dracut.if
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
## <summary>Dracut initramfs creation tool</summary>

########################################
## <summary>
## Execute the dracut program in the dracut domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`dracut_domtrans',`
gen_require(`
type dracut_t, dracut_exec_t;
')

corecmd_search_bin($1)
domtrans_pattern($1, dracut_exec_t, dracut_t)
')

########################################
## <summary>
## Execute dracut in the dracut domain, and
## allow the specified role the dracut domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
#
interface(`dracut_run',`
gen_require(`
type dracut_t;
')

dracut_domtrans($1)
role $2 types dracut_t;
')

########################################
## <summary>
## Read/write dracut temporary files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dracut_rw_tmp_files',`
gen_require(`
type dracut_tmp_t;
')

files_search_var($1)
files_search_tmp($1)

rw_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
')
207 changes: 207 additions & 0 deletions policy/modules/admin/dracut.te
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,207 @@
policy_module(dracut)

########################################
#
# Declarations
#

type dracut_t;
type dracut_exec_t;
application_domain(dracut_t, dracut_exec_t)

type dracut_var_log_t;
logging_log_file(dracut_var_log_t)

type dracut_runtime_t;
files_runtime_file(dracut_runtime_t)

type dracut_tmp_t;
files_tmp_file(dracut_tmp_t)

########################################
#
# Local policy
#

allow dracut_t self:process { getsched setfscreate };
# sys_admin needed for fsfreeze use
# sys_chroot needed for ldconfig
allow dracut_t self:capability { dac_override dac_read_search setfcap sys_admin sys_chroot };
dontaudit dracut_t self:capability sys_resource;
allow dracut_t self:fifo_file rw_fifo_file_perms;
allow dracut_t self:unix_stream_socket create_stream_socket_perms;
allow dracut_t self:alg_socket create_stream_socket_perms;

allow dracut_t dracut_runtime_t:dir manage_dir_perms;
allow dracut_t dracut_runtime_t:file manage_file_perms;
files_runtime_filetrans(dracut_t, dracut_runtime_t, { dir file })

allow dracut_t dracut_tmp_t:dir { manage_dir_perms relabelfrom };
allow dracut_t dracut_tmp_t:file { manage_file_perms relabel_file_perms };
manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
manage_chr_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
files_tmp_filetrans(dracut_t, dracut_tmp_t, dir)

manage_files_pattern(dracut_t, dracut_var_log_t, dracut_var_log_t)
logging_log_filetrans(dracut_t, dracut_var_log_t, file)

corecmd_exec_bin(dracut_t)
corecmd_exec_shell(dracut_t)
corecmd_mmap_all_executables(dracut_t)
corecmd_delete_all_executables(dracut_t)
Copy link
Member

@pebenito pebenito Jan 21, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's happening here (the delete in particular)?

Copy link
Member

@pebenito pebenito Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Related: there's also deletions in the files_* block and others.

Copy link
Contributor Author

@0xC0ncord 0xC0ncord Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's happening here is installkernel creates the staging area for the initrd in /tmp. dracut copies all the binaries, shared libs, config files, etc. for all the components needed to boot the system to its own directory in the staging area. dracut also relabels all the files to the correct type so that the SELinux contexts inside of the initrd are correct. After the initrd is created, dracut recursively deletes this temporary directory and all its contents.

The delete access here is a rather unfortunate byproduct of the fact that these objects are copied and then deleted while having their destination SELinux contexts.

Copy link
Member

@pebenito pebenito Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you file a bug to have it use mv/install -Z? I would prefer to have a comment in the policy with a reference to a bug.

Copy link
Contributor Author

@0xC0ncord 0xC0ncord Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't mind submitting an issue about the current behavior, but I'm not sure what mv/install -Z will do that is different from what is here currently. Let me know if I am misunderstanding something.

I think our shared concern is that the policy permits the deletion of sensitive files (e.g. shadow_t), so I think what we might really want is for dracut to be in a different domain that can only normally be transitioned to from dracut_t that does the cleanup, e.g. dracut_cleanup_t, and this domain is what is permitted to delete these files.

Copy link
Member

@pebenito pebenito Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If they use install -Z then it would be getting the expected label as it is written out, without having to label it in the tmp dir.

Copy link
Contributor Author

@0xC0ncord 0xC0ncord Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I see now. I'll do some investigating. If the change is easy enough then we might be able to just submit a patch.

corecmd_setattr_all_executables(dracut_t)
corecmd_relabelto_all_executables(dracut_t)

dev_read_kmsg(dracut_t)
dev_read_rand(dracut_t)
dev_read_sysfs(dracut_t)
dev_rw_lvm_control(dracut_t)
# for ssh-keygen
dev_write_urand(dracut_t)
# findmnt generates these
dev_dontaudit_getattr_all_blk_files(dracut_t)
dev_dontaudit_getattr_all_chr_files(dracut_t)

domain_use_interactive_fds(dracut_t)
domain_obj_id_change_exemption(dracut_t)

files_create_kernel_img(dracut_t)
files_search_runtime(dracut_t)

files_rw_etc_files(dracut_t)
files_create_etc_files(dracut_t)
files_delete_etc_files(dracut_t)
files_rename_etc_files(dracut_t)
files_setattr_etc_files(dracut_t)
files_relabelto_etc_files(dracut_t)
files_mmap_read_kernel_modules(dracut_t)
files_delete_kernel_modules(dracut_t)
files_setattr_kernel_modules(dracut_t)
files_relabelto_kernel_modules_files(dracut_t)
files_read_usr_files(dracut_t)
files_delete_usr_files(dracut_t)
files_setattr_usr_files(dracut_t)
files_relabelto_usr_files(dracut_t)
files_read_usr_src_files(dracut_t)
files_read_etc_runtime_files(dracut_t)
files_delete_etc_runtime_files(dracut_t)
files_setattr_etc_runtime_files(dracut_t)
files_relabelto_etc_runtime_files(dracut_t)
files_relabelfrom_etc_runtime_files(dracut_t)

files_dontaudit_search_mnt(dracut_t)

# cgroup for virt-detect
fs_getattr_cgroup(dracut_t)
fs_read_cgroup_files(dracut_t)
# tmpfs on /run/modprobe.d
fs_list_tmpfs(dracut_t)
fs_getattr_nsfs_files(dracut_t)
fs_getattr_xattr_fs(dracut_t)
fs_dontaudit_getattr_hugetlbfs_dirs(dracut_t)

kernel_read_messages(dracut_t)
kernel_read_system_state(dracut_t)
# for virt-detect
kernel_read_kernel_sysctls(dracut_t)
kernel_read_network_state(dracut_t)
kernel_read_vm_overcommit_sysctl(dracut_t)
kernel_dontaudit_getattr_proc(dracut_t)

storage_dontaudit_read_fixed_disk(dracut_t)

# create a stripped down shadow file in initrd
auth_manage_shadow(dracut_t)
auth_use_nsswitch(dracut_t)

# for virt-detect
init_read_state(dracut_t)

fstools_domtrans(dracut_t)

libs_exec_ldconfig(dracut_t)
libs_exec_ld_so(dracut_t)
libs_exec_lib_files(dracut_t)
libs_delete_ld_so(dracut_t)
libs_setattr_ld_so(dracut_t)
libs_relabel_ld_so(dracut_t)
libs_delete_lib_files(dracut_t)
libs_setattr_lib_files(dracut_t)
libs_relabelto_lib_files(dracut_t)

logging_read_syslog_config(dracut_t)
logging_delete_syslog_config_files(dracut_t)
logging_setattr_syslog_config_files(dracut_t)
logging_relabelto_syslog_config_files(dracut_t)
logging_dontaudit_search_runtime_dirs(dracut_t)

miscfiles_read_generic_certs(dracut_t)
miscfiles_read_localization(dracut_t)

modutils_exec(dracut_t)
modutils_read_module_config(dracut_t)
modutils_delete_module_config(dracut_t)
modutils_setattr_module_config(dracut_t)
modutils_relabel_module_config(dracut_t)
modutils_read_module_deps(dracut_t)

seutil_domtrans_setfiles(dracut_t)

udev_list_rules(dracut_t)
udev_rw_rules_files(dracut_t)
udev_delete_rules_files(dracut_t)
udev_setattr_rules_files(dracut_t)
udev_relabelto_rules_files(dracut_t)

userdom_search_user_home_dirs(dracut_t)
userdom_use_user_terminals(dracut_t)

ifdef(`init_systemd',`
sysnet_read_config(dracut_t)
sysnet_delete_config(dracut_t)
sysnet_setattr_config(dracut_t)
sysnet_relabelto_config(dracut_t)

init_manage_all_unit_files(dracut_t)
init_relabel_all_unit_files(dracut_t)

systemd_exec_sysusers(dracut_t)
systemd_read_user_units_files(dracut_t)
')

optional_policy(`
installkernel_list_tmp(dracut_t)
installkernel_create_tmp_files(dracut_t)
installkernel_rw_tmp_files(dracut_t)
')

optional_policy(`
lvm_exec(dracut_t)
lvm_read_config(dracut_t)
')

optional_policy(`
portage_exec_gcc_config(dracut_t)
portage_list_config(dracut_t)
portage_read_config(dracut_t)
portage_list_ebuild(dracut_t)
portage_read_ebuild_files(dracut_t)
')

optional_policy(`
ssh_exec_keygen(dracut_t)
ssh_read_server_keys(dracut_t)
ssh_dontaudit_getattr_home_dirs(dracut_t)
')

optional_policy(`
xdg_dontaudit_search_data_dirs(dracut_t)
')

optional_policy(`
zfs_read_config(dracut_t)
zfs_read_zpool_cache(dracut_t)
zfs_delete_zpool_cache(dracut_t)
zfs_setattr_zpool_cache_files(dracut_t)
zfs_relabelto_zpool_cache_files(dracut_t)
')
4 changes: 4 additions & 0 deletions policy/modules/admin/installkernel.fc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
/usr/bin/kernel-install -- gen_context(system_u:object_r:installkernel_exec_t,s0)
/usr/bin/installkernel -- gen_context(system_u:object_r:installkernel_exec_t,s0)
/var/lib/misc/installkernel -- gen_context(system_u:object_r:installkernel_var_lib_t,s0)
/var/log/installkernel\.log -- gen_context(system_u:object_r:installkernel_log_t,s0)
101 changes: 101 additions & 0 deletions policy/modules/admin/installkernel.if
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
## <summary>Install kernels and update the bootloader configuration.</summary>

########################################
## <summary>
## Execute installkernel in the installkernel domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`installkernel_domtrans',`
gen_require(`
type installkernel_t, installkernel_exec_t;
')

corecmd_search_bin($1)
domtrans_pattern($1, installkernel_exec_t, installkernel_t)
')

########################################
## <summary>
## Execute installkernel in the installkernel
## domain, and allow the specified
## role the installkernel domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`installkernel_run',`
gen_require(`
type installkernel_t;
')

installkernel_domtrans($1)
role $2 types installkernel_t;
')

########################################
## <summary>
## List the contents of installkernel tmp directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`installkernel_list_tmp',`
gen_require(`
type installkernel_tmp_t;
')

allow $1 installkernel_tmp_t:dir list_dir_perms;
')

########################################
## <summary>
## Create installkernel tmp files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`installkernel_create_tmp_files',`
gen_require(`
type installkernel_tmp_t;
')

create_files_pattern($1, installkernel_tmp_t, installkernel_tmp_t)
')

########################################
## <summary>
## Read and write installkernel tmp files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`installkernel_rw_tmp_files',`
gen_require(`
type installkernel_tmp_t;
')

rw_files_pattern($1, installkernel_tmp_t, installkernel_tmp_t)
')
Loading
Loading