[refpolicy] system_init.patch
Christopher J. PeBenito
cpebenito at tresys.com
Fri Feb 12 14:00:12 CST 2010
On Thu, 2009-11-12 at 17:09 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/system_init.patch
>
> Fix labels
>
> Add policy to make upstart->daemon work, in addition to
> upstart->initrc_t->daemon
This needs to go in a init_upstart tunable block.
initrc_tmp_t blk_files and chr_files needs explanation, otherwise its
completely unacceptable.
It looks like your patch reverses some upstream changes. eg:
+fs_register_binary_executable_type(initrc_t)
+# rhgb-console writes to ramfs
+fs_write_ramfs_pipes(initrc_t)
+# cjp: not sure why these are here; should use mount policy
+fs_mount_all_fs(initrc_t)
+fs_unmount_all_fs(initrc_t)
+fs_remount_all_fs(initrc_t)
+fs_getattr_all_fs(initrc_t)
+fs_search_all(initrc_t)
+fs_getattr_nfsd_files(initrc_t)
then later:
-fs_register_binary_executable_type(initrc_t)
-# rhgb-console writes to ramfs
-fs_write_ramfs_pipes(initrc_t)
-# cjp: not sure why these are here; should use mount policy
-fs_mount_all_fs(initrc_t)
-fs_unmount_all_fs(initrc_t)
-fs_remount_all_fs(initrc_t)
-fs_getattr_all_fs(initrc_t)
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
More information about the refpolicy
mailing list