Daniel Burgener <dburgener@xxxxxxxxxxxxxxxxxxx> writes: >> =================================================================== >> --- refpolicy-2.20210908.orig/policy/modules/system/systemd.te >> +++ refpolicy-2.20210908/policy/modules/system/systemd.te >> @@ -65,10 +65,6 @@ type systemd_activate_t; >> type systemd_activate_exec_t; >> init_system_domain(systemd_activate_t, systemd_activate_exec_t) >> -type systemd_analyze_t; >> -type systemd_analyze_exec_t; >> -init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t) >> - >> type systemd_backlight_t; >> type systemd_backlight_exec_t; >> init_system_domain(systemd_backlight_t, systemd_backlight_exec_t) > > I proposed a similar change last year here and the consensus in the PR > discussion was that it would make more sense to add policy for the > systemd_analyze_t domain for cases that wanted a transition there, but > keeping the general approach of running in the parent domain. > > https://github.com/SELinuxProject/refpolicy/pull/321 > > Of course, no one has actually submitted systemd_analyze_t policy yet, > so maybe the demand for such a use case isn't all that high? > > -Daniel > I think I might have argued for keeping it around back then but I do not mind removing it now. It certainly is not an init_daemon_domain(). One can always add it later if needed. -- gpg --locate-keys dominick.grift@xxxxxxxxxxx Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 Dominick Grift
