From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] RFC: direct_init_entry breaks direct_initrc
Date: Wed, 15 Jan 2014 12:01:18 -0500 [thread overview]
Message-ID: <52D6BEDE.20806@redhat.com> (raw)
In-Reply-To: <1389800689.5861.15.camel@x220.localdomain>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/15/2014 10:44 AM, Dominick Grift wrote:
> On Wed, 2014-01-15 at 08:51 -0500, Christopher J. PeBenito wrote:
>> On 01/14/14 17:23, Dominick Grift wrote:
>>> On Tue, 2014-01-14 at 15:44 -0500, Christopher J. PeBenito wrote:
>>>>
>>>> I think you may be able to drop the direct_run_init attribute and put
>>>> the domtrans you added in the init_run_daemon() interface instead.
>>>>
>>>
>>> Right, i also got rid of direct_init because was a lose end as well
>>>
>>> It builds but still not actually tested
>>
>> On further looking it looks like we shouldn't completely remove the
>> direct_sysadm_daemon block out of init_daemon_domain; the
>> userdom_dontaudit_use_user_terminals($1) should probably remain. I'd
>> also prefer to separate the unconfined portion out to a separate patch.
>> Otherwise it looks good.
>>
>
> Enclosed patches. Built successfully
>
> By the way this may not be a end-all solution. Since i think commands like
> newaliases and rpm *may* also be affected especially with regard to
> system_r role but i think that if that turns out to be true that we can
> deal with those issue as they arise. (these are some of the very rare
> instances where a role transition might also be desired)
>
> In my test on Fedora i did run rpm and did not notice anything except a
>
> allow NetworkManager_t initrc_t:process sigkill;
>
> not sure if that was related but it is kind of weird since Fedora uses
> systemd_t so i wasnt expecting anything initrc_t related
>
>
NetworkManager_t has lots of transitions to initrc_t, maybe one of these has
not been replaced with systemd yet.
>
> _______________________________________________ refpolicy mailing list
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlLWvt4ACgkQrlYvE4MpobMP+ACfV1G7lQBDmfWF+z4LqF9abfmA
UKEAn2xpQQTbXiHLn1SBLdKrVH38Tgng
=EiNd
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2014-01-15 17:01 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-10 15:57 [refpolicy] RFC: direct_init_entry breaks direct_initrc Dominick Grift
2013-12-10 16:00 ` Dominick Grift
2014-01-14 13:56 ` Christopher J. PeBenito
2014-01-14 14:02 ` Dominick Grift
2014-01-14 14:10 ` Christopher J. PeBenito
2014-01-14 14:48 ` Daniel J Walsh
2014-01-14 18:30 ` Dominick Grift
2014-01-14 20:44 ` Christopher J. PeBenito
2014-01-14 22:23 ` Dominick Grift
2014-01-15 13:01 ` Dominick Grift
2014-01-15 13:51 ` Christopher J. PeBenito
2014-01-15 15:44 ` Dominick Grift
2014-01-15 17:01 ` Daniel J Walsh [this message]
2014-01-16 21:12 ` Christopher J. PeBenito
-- strict thread matches above, loose matches on Subject: below --
2013-12-11 8:33 Sven Vermeulen
2013-12-11 8:56 ` Dominick Grift
2013-12-11 9:52 ` Sven Vermeulen
2013-12-11 10:31 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52D6BEDE.20806@redhat.com \
--to=dwalsh@redhat.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.