From: dwalsh@redhat.com (Daniel J Walsh)
Date: Tue, 14 Jan 2014 09:49:23 -0500
Subject: [refpolicy] systemd policy
In-Reply-To: <1389647248.21000.6.camel@x220.localdomain>
References: <5992094.YlEUt0BCZP@russell.coker.com.au>	
	<20140112131841.71f6da37@fornost.bigon.be>	
	<5347508.kSSh66cgIv@russell.coker.com.au>
	<52D401D3.5040900@redhat.com>	
	<1389639753.20228.8.camel@x220.localdomain>
	<52D449A2.5080809@redhat.com>	
	<1389644532.21000.3.camel@x220.localdomain>
	<1389647248.21000.6.camel@x220.localdomain>
Message-ID: <52D54E73.80308@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/13/2014 04:07 PM, Dominick Grift wrote:
> On Mon, 2014-01-13 at 21:22 +0100, Dominick Grift wrote:
>> On Mon, 2014-01-13 at 15:16 -0500, Daniel J Walsh wrote:
>> 
>>>> 
>>> Well I would not say we don't care about other init systems, since we
>>> still need to support systemV init scripts.  I removed
>>> init_run_daemon(unconfined_t) because it was causing us problems with
>>> "Daemons" attempting to run as unconfined_u:system_r:unconfined_t:s0.
>>> We are attempting to tighten security on confined domains being able to
>>> transition to unconfined domains.
>> 
>> I suspect you removed it to get rid of the role transition on init daemon
>> entry files, and i believe my solution deals with that without the need
>> to remove that interface call.
>> 
>> http://oss.tresys.com/pipermail/refpolicy/2013-December/006740.html
>> 
>> I briefly tested the above patch and it seems to "work"
>> 
>> 
> 
> https://www.youtube.com/watch?v=gqUFSKplehA
> 
> Here is a quick demo with some tests to see if above patch works
> 
> youtube is also processing a larger video that demonstrates the whole 
> process from implementing the change to testing it
> 
> 
> 
Yes I like your solution.  Could you make the change in Fedora.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLVTnIACgkQrlYvE4MpobNmFgCeMSXg+mlWsbVuQOV7xw7L1BGJ
fx0AoNu8WGvX/eQJTc1XZOChZutpim0u
=Y4bT
-----END PGP SIGNATURE-----