From: russell@coker.com.au (Russell Coker)
Date: Fri, 17 Feb 2017 00:38:08 +1100
Subject: [refpolicy] [PATCH] little misc patches
In-Reply-To: <CAJfZ7=nR=ZGrZpE6DXNu6e-r8YjRNKbs9qFwojdcXeC2pQ8KNQ@mail.gmail.com>
References: <20170212113832.h4damrekbuv6d4xn@athena.coker.com.au>
	<CAJfZ7=nR=ZGrZpE6DXNu6e-r8YjRNKbs9qFwojdcXeC2pQ8KNQ@mail.gmail.com>
Message-ID: <201702170038.08462.russell@coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 13 Feb 2017 06:36:50 AM Nicolas Iooss via refpolicy wrote:
> > +/usr/lib/systemd/[^/]* --      gen_context(system_u:object_r:
> > init_exec_t,s0)
> > +/usr/lib/systemd/system-generators/[^/]* --
> > gen_context(system_u:object_r:init_exec_t,s0)
> >
> >  /usr/libexec/dcc/start-.* --   gen_context(system_u:object_r:
> > initrc_exec_t,s0)
> >
> >  /usr/libexec/dcc/stop-.* --    gen_context(system_u:object_r:
> > initrc_exec_t,s0)
> 
> Why is /usr/lib/systemd/[^/]* needed and labeled init_exec_t, instead of
> bin_t for example? /usr/lib/systemd/systemd is already labeled init_exec_t
> and /usr/lib/systemd/ contains other programs such as systemd services
> (which contexts are defined in policy/modules/system/systemd.fc).

I've removed that, it works well without it.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/