From: dwalsh@redhat.com (Daniel J Walsh) Date: Tue, 14 Jan 2014 09:48:23 -0500 Subject: [refpolicy] RFC: direct_init_entry breaks direct_initrc In-Reply-To: <52D54546.8010308@tresys.com> References: <1386691021.18689.75.camel@d30> <52D54215.3040707@tresys.com> <1389708128.28251.54.camel@x220.localdomain> <52D54546.8010308@tresys.com> Message-ID: <52D54E37.90307@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/14/2014 09:10 AM, Christopher J. PeBenito wrote: > On Tue Jan 14 09:02:08 2014, Dominick Grift wrote: >> On Tue, 2014-01-14 at 08:56 -0500, Christopher J. PeBenito wrote: >>> On 12/10/13 10:57, Dominick Grift wrote: >>>> I have not tested this yet and it is a theory >>>> >>>> I was not there when that type attribute was implemented so i do not >>>> know the rationale behind the decision to implement it. >>>> >>>> Would be nice if anyone could shed some light on that and would be >>>> even better if this fix is acknowledged >>> >>> It seems like it would probably work, but definitely needs to be >>> tested. >>> >> >> I have tested it. role transitions should happen on the init script and >> now on the daemon entry file. This is a bug in the init_run_daemon >> interface and it breaks a lot of stuff >> >> Also the init_run_daemon(unconfined_t, unconfined_r) should be make >> tunable (direct_sysadm_daemon) > > Would you send patches for these? The first patch I only see as inlined > comments in the body of the first message. > > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com > _______________________________________________ refpolicy mailing list > refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy > Well Fedora still does the transition since we have an interface init_script_role_transition(unconfined_r) +interface(`init_script_role_transition',` + gen_require(` + attribute init_script_file_type; + ') + + role_transition $1 init_script_file_type system_r; +') But I am fine with Dominick's change. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLVTjYACgkQrlYvE4MpobPAzACgjshCRnUkzgdNjyjcxqwDp4Zv lkoAoLZZ167ZBWx+eBlvYdCa5ZoHfwYN =4l0D -----END PGP SIGNATURE-----