[refpolicy] systemd policy
Daniel J Walsh
dwalsh at redhat.com
Tue Jan 14 09:49:23 EST 2014
-----BEGIN PGP SIGNED MESSAGE-----
On 01/13/2014 04:07 PM, Dominick Grift wrote:
> On Mon, 2014-01-13 at 21:22 +0100, Dominick Grift wrote:
>> On Mon, 2014-01-13 at 15:16 -0500, Daniel J Walsh wrote:
>>> Well I would not say we don't care about other init systems, since we
>>> still need to support systemV init scripts. I removed
>>> init_run_daemon(unconfined_t) because it was causing us problems with
>>> "Daemons" attempting to run as unconfined_u:system_r:unconfined_t:s0.
>>> We are attempting to tighten security on confined domains being able to
>>> transition to unconfined domains.
>> I suspect you removed it to get rid of the role transition on init daemon
>> entry files, and i believe my solution deals with that without the need
>> to remove that interface call.
>> I briefly tested the above patch and it seems to "work"
> Here is a quick demo with some tests to see if above patch works
> youtube is also processing a larger video that demonstrates the whole
> process from implementing the change to testing it
Yes I like your solution. Could you make the change in Fedora.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the refpolicy