[refpolicy] RFC: direct_init_entry breaks direct_initrc

Christopher J. PeBenito cpebenito at tresys.com
Thu Jan 16 16:12:13 EST 2014


On 01/15/14 10:44, Dominick Grift wrote:
> On Wed, 2014-01-15 at 08:51 -0500, Christopher J. PeBenito wrote:
>> On 01/14/14 17:23, Dominick Grift wrote:
>>> On Tue, 2014-01-14 at 15:44 -0500, Christopher J. PeBenito wrote:
>>>>
>>>> I think you may be able to drop the direct_run_init attribute and put the domtrans you added in the init_run_daemon() interface instead.
>>>>
>>>
>>> Right, i also got rid of direct_init because was a lose end as well
>>>
>>> It builds but still not actually tested
>>
>> On further looking it looks like we shouldn't completely remove the direct_sysadm_daemon block out of init_daemon_domain; the userdom_dontaudit_use_user_terminals($1) should probably remain.  I'd also prefer to separate the unconfined portion out to a separate patch.  Otherwise it looks good.
>>
> 
> Enclosed patches. Built successfully
> 
> By the way this may not be a end-all solution. Since i think commands
> like newaliases and rpm *may* also be affected especially with regard to
> system_r role but i think that if that turns out to be true that we can
> deal with those issue as they arise. (these are some of the very rare
> instances where a role transition might also be desired)

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com


More information about the refpolicy mailing list