From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] systemd policy
Date: Tue, 14 Jan 2014 09:49:23 -0500 [thread overview]
Message-ID: <52D54E73.80308@redhat.com> (raw)
In-Reply-To: <1389647248.21000.6.camel@x220.localdomain>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/13/2014 04:07 PM, Dominick Grift wrote:
> On Mon, 2014-01-13 at 21:22 +0100, Dominick Grift wrote:
>> On Mon, 2014-01-13 at 15:16 -0500, Daniel J Walsh wrote:
>>
>>>>
>>> Well I would not say we don't care about other init systems, since we
>>> still need to support systemV init scripts. I removed
>>> init_run_daemon(unconfined_t) because it was causing us problems with
>>> "Daemons" attempting to run as unconfined_u:system_r:unconfined_t:s0.
>>> We are attempting to tighten security on confined domains being able to
>>> transition to unconfined domains.
>>
>> I suspect you removed it to get rid of the role transition on init daemon
>> entry files, and i believe my solution deals with that without the need
>> to remove that interface call.
>>
>> http://oss.tresys.com/pipermail/refpolicy/2013-December/006740.html
>>
>> I briefly tested the above patch and it seems to "work"
>>
>>
>
> https://www.youtube.com/watch?v=gqUFSKplehA
>
> Here is a quick demo with some tests to see if above patch works
>
> youtube is also processing a larger video that demonstrates the whole
> process from implementing the change to testing it
>
>
>
Yes I like your solution. Could you make the change in Fedora.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlLVTnIACgkQrlYvE4MpobNmFgCeMSXg+mlWsbVuQOV7xw7L1BGJ
fx0AoNu8WGvX/eQJTc1XZOChZutpim0u
=Y4bT
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2014-01-14 14:49 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-12 7:06 [refpolicy] systemd policy Russell Coker
2014-01-12 12:18 ` Laurent Bigonville
2014-01-13 12:52 ` Russell Coker
2014-01-13 15:10 ` Daniel J Walsh
2014-01-13 19:02 ` Dominick Grift
2014-01-13 20:16 ` Daniel J Walsh
2014-01-13 20:22 ` Dominick Grift
2014-01-13 21:07 ` Dominick Grift
2014-01-14 14:49 ` Daniel J Walsh [this message]
2014-01-14 11:24 ` Dominick Grift
2014-01-13 23:37 ` Russell Coker
2014-01-14 9:46 ` Dominick Grift
2014-01-14 9:58 ` Dominick Grift
2014-01-14 12:35 ` Laurent Bigonville
2014-01-14 13:03 ` Dominick Grift
2014-01-27 6:56 ` Russell Coker
2014-02-06 14:40 ` Christopher J. PeBenito
2014-01-14 10:12 ` Dominick Grift
2014-01-14 12:22 ` Laurent Bigonville
2014-01-14 13:34 ` Christopher J. PeBenito
2014-01-14 13:54 ` Dominick Grift
2014-01-14 14:41 ` Laurent Bigonville
2014-01-14 14:55 ` Daniel J Walsh
2014-01-27 14:17 ` Miroslav Grepl
2014-02-06 16:32 ` Christopher J. PeBenito
-- strict thread matches above, loose matches on Subject: below --
2015-10-19 18:17 [refpolicy] Systemd policy Christopher J. PeBenito
2015-10-20 11:35 ` Dominick Grift
2015-10-23 19:23 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52D54E73.80308@redhat.com \
--to=dwalsh@redhat.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.