From: dwalsh@redhat.com (Daniel J Walsh) Date: Wed, 15 Jan 2014 12:01:18 -0500 Subject: [refpolicy] RFC: direct_init_entry breaks direct_initrc In-Reply-To: <1389800689.5861.15.camel@x220.localdomain> References: <1386691021.18689.75.camel@d30> <52D54215.3040707@tresys.com> <1389708128.28251.54.camel@x220.localdomain> <52D54546.8010308@tresys.com> <1389724229.28251.74.camel@x220.localdomain> <52D5A197.8010805@tresys.com> <1389738227.4012.2.camel@x220.localdomain> <52D69265.80902@tresys.com> <1389800689.5861.15.camel@x220.localdomain> Message-ID: <52D6BEDE.20806@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/15/2014 10:44 AM, Dominick Grift wrote: > On Wed, 2014-01-15 at 08:51 -0500, Christopher J. PeBenito wrote: >> On 01/14/14 17:23, Dominick Grift wrote: >>> On Tue, 2014-01-14 at 15:44 -0500, Christopher J. PeBenito wrote: >>>> >>>> I think you may be able to drop the direct_run_init attribute and put >>>> the domtrans you added in the init_run_daemon() interface instead. >>>> >>> >>> Right, i also got rid of direct_init because was a lose end as well >>> >>> It builds but still not actually tested >> >> On further looking it looks like we shouldn't completely remove the >> direct_sysadm_daemon block out of init_daemon_domain; the >> userdom_dontaudit_use_user_terminals($1) should probably remain. I'd >> also prefer to separate the unconfined portion out to a separate patch. >> Otherwise it looks good. >> > > Enclosed patches. Built successfully > > By the way this may not be a end-all solution. Since i think commands like > newaliases and rpm *may* also be affected especially with regard to > system_r role but i think that if that turns out to be true that we can > deal with those issue as they arise. (these are some of the very rare > instances where a role transition might also be desired) > > In my test on Fedora i did run rpm and did not notice anything except a > > allow NetworkManager_t initrc_t:process sigkill; > > not sure if that was related but it is kind of weird since Fedora uses > systemd_t so i wasnt expecting anything initrc_t related > > NetworkManager_t has lots of transitions to initrc_t, maybe one of these has not been replaced with systemd yet. > > _______________________________________________ refpolicy mailing list > refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLWvt4ACgkQrlYvE4MpobMP+ACfV1G7lQBDmfWF+z4LqF9abfmA UKEAn2xpQQTbXiHLn1SBLdKrVH38Tgng =EiNd -----END PGP SIGNATURE-----