From: dominick.grift@gmail.com (Dominick Grift)
Date: Mon, 13 Jan 2014 21:22:12 +0100
Subject: [refpolicy] systemd policy
In-Reply-To: <52D449A2.5080809@redhat.com>
References: <5992094.YlEUt0BCZP@russell.coker.com.au>
	<20140112131841.71f6da37@fornost.bigon.be>
	<5347508.kSSh66cgIv@russell.coker.com.au> <52D401D3.5040900@redhat.com>
	<1389639753.20228.8.camel@x220.localdomain>
	<52D449A2.5080809@redhat.com>
Message-ID: <1389644532.21000.3.camel@x220.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 2014-01-13 at 15:16 -0500, Daniel J Walsh wrote:

> > 
> Well I would not say we don't care about other init systems, since we still
> need to support systemV init scripts.  I removed init_run_daemon(unconfined_t)
> because it was causing us problems with "Daemons" attempting to run as
> unconfined_u:system_r:unconfined_t:s0.  We are attempting to tighten security
> on confined domains being able to transition to unconfined domains.

I suspect you removed it to get rid of the role transition on init
daemon entry files, and i believe my solution deals with that without
the need to remove that interface call.

http://oss.tresys.com/pipermail/refpolicy/2013-December/006740.html

I briefly tested the above patch and it seems to "work"