[refpolicy] systemd policy

Dominick Grift dominick.grift at gmail.com
Mon Jan 13 16:07:28 EST 2014


On Mon, 2014-01-13 at 21:22 +0100, Dominick Grift wrote:
> On Mon, 2014-01-13 at 15:16 -0500, Daniel J Walsh wrote:
> 
> > > 
> > Well I would not say we don't care about other init systems, since we still
> > need to support systemV init scripts.  I removed init_run_daemon(unconfined_t)
> > because it was causing us problems with "Daemons" attempting to run as
> > unconfined_u:system_r:unconfined_t:s0.  We are attempting to tighten security
> > on confined domains being able to transition to unconfined domains.
> 
> I suspect you removed it to get rid of the role transition on init
> daemon entry files, and i believe my solution deals with that without
> the need to remove that interface call.
> 
> http://oss.tresys.com/pipermail/refpolicy/2013-December/006740.html
> 
> I briefly tested the above patch and it seems to "work"
> 
> 

https://www.youtube.com/watch?v=gqUFSKplehA

Here is a quick demo with some tests to see if above patch works

youtube is also processing a larger video that demonstrates the whole
process from implementing the change to testing it





More information about the refpolicy mailing list