From: dwalsh@redhat.com (Daniel J Walsh)
Date: Tue, 14 Jan 2014 09:48:23 -0500
Subject: [refpolicy] RFC: direct_init_entry breaks direct_initrc
In-Reply-To: <52D54546.8010308@tresys.com>
References: <1386691021.18689.75.camel@d30>
	<52D54215.3040707@tresys.com>	<1389708128.28251.54.camel@x220.localdomain>
	<52D54546.8010308@tresys.com>
Message-ID: <52D54E37.90307@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/14/2014 09:10 AM, Christopher J. PeBenito wrote:
> On Tue Jan 14 09:02:08 2014, Dominick Grift wrote:
>> On Tue, 2014-01-14 at 08:56 -0500, Christopher J. PeBenito wrote:
>>> On 12/10/13 10:57, Dominick Grift wrote:
>>>> I have not tested this yet and it is a theory
>>>> 
>>>> I was not there when that type attribute was implemented so i do not 
>>>> know the rationale behind the decision to implement it.
>>>> 
>>>> Would be nice if anyone could shed some light on that and would be
>>>> even better if this fix is acknowledged
>>> 
>>> It seems like it would probably work, but definitely needs to be
>>> tested.
>>> 
>> 
>> I have tested it. role transitions should happen on the init script and 
>> now on the daemon entry file. This is a bug in the init_run_daemon 
>> interface and it breaks a lot of stuff
>> 
>> Also the init_run_daemon(unconfined_t, unconfined_r) should be make 
>> tunable (direct_sysadm_daemon)
> 
> Would you send patches for these?  The first patch I only see as inlined
> comments in the body of the first message.
> 
> -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com 
> _______________________________________________ refpolicy mailing list 
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
> 


Well Fedora still does the transition since we have an interface

init_script_role_transition(unconfined_r)


+interface(`init_script_role_transition',`
+       gen_require(`
+               attribute init_script_file_type;
+       ')
+
+       role_transition $1 init_script_file_type system_r;
+')


But I am fine with Dominick's change.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLVTjYACgkQrlYvE4MpobPAzACgjshCRnUkzgdNjyjcxqwDp4Zv
lkoAoLZZ167ZBWx+eBlvYdCa5ZoHfwYN
=4l0D
-----END PGP SIGNATURE-----