Upstart spawns a shell during boot and, without this patch, it will transition to the sysadm_t domain, but remain in the system_r role. Services started by that shell will fail to start, even in permissive mode, if system_u:system_r:sysadm_someservice_t is an invalid context. We really don't want to be starting services from the sysadm_t domain during boot. Index: policy/modules/system/init.te =================================================================== --- policy/modules/system/init.te (revision 2631) +++ policy/modules/system/init.te (working copy) @@ -164,10 +164,12 @@ ') ifndef(`distro_ubuntu',` +ifndef(`distro_redhat',` # Run the shell in the sysadm role for single-user mode. # causes problems with upstart userdom_shell_domtrans_sysadm(init_t) ') +') optional_policy(` auth_rw_login_records(init_t) -- James Carter <jwcart2@xxxxxxxxxxxxx> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
