From: dominick.grift@gmail.com (Dominick Grift) Date: Mon, 13 Jan 2014 22:07:28 +0100 Subject: [refpolicy] systemd policy In-Reply-To: <1389644532.21000.3.camel@x220.localdomain> References: <5992094.YlEUt0BCZP@russell.coker.com.au> <20140112131841.71f6da37@fornost.bigon.be> <5347508.kSSh66cgIv@russell.coker.com.au> <52D401D3.5040900@redhat.com> <1389639753.20228.8.camel@x220.localdomain> <52D449A2.5080809@redhat.com> <1389644532.21000.3.camel@x220.localdomain> Message-ID: <1389647248.21000.6.camel@x220.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 2014-01-13 at 21:22 +0100, Dominick Grift wrote: > On Mon, 2014-01-13 at 15:16 -0500, Daniel J Walsh wrote: > > > > > > Well I would not say we don't care about other init systems, since we still > > need to support systemV init scripts. I removed init_run_daemon(unconfined_t) > > because it was causing us problems with "Daemons" attempting to run as > > unconfined_u:system_r:unconfined_t:s0. We are attempting to tighten security > > on confined domains being able to transition to unconfined domains. > > I suspect you removed it to get rid of the role transition on init > daemon entry files, and i believe my solution deals with that without > the need to remove that interface call. > > http://oss.tresys.com/pipermail/refpolicy/2013-December/006740.html > > I briefly tested the above patch and it seems to "work" > > https://www.youtube.com/watch?v=gqUFSKplehA Here is a quick demo with some tests to see if above patch works youtube is also processing a larger video that demonstrates the whole process from implementing the change to testing it