updated selinux policy; hopefully services are no longer started as

sau_t after restart

selinux/sau.te

@@ -23,14 +23,35 @@ role system_r types sau_t;
 domain_auto_transition_pattern(sysadm_t, sau_exec_t, sau_t)
 domain_auto_transition_pattern(system_cronjob_t, sau_exec_t, sau_t)
 
-# this should be fixed, but I don't know enough selinux magic to restrict this
+domain_use_interactive_fds(sau_t)
-# while still allowing it to inspect all open files for all processes
+userdom_use_user_ptys(sau_t)
-unconfined_domain_noaudit(sau_t)
+userdom_use_all_users_fds(sau_t)
+
+# required for python
+corecmd_mmap_bin_files(sau_t)
+
+
+kernel_read_system_state(sau_t)
+domain_read_all_domains_state(sau_t)
+allow sau_t self:capability sys_ptrace;
+
+init_startstop_all_script_services(sau_t)
+init_all_labeled_script_domtrans(sau_t)
+init_use_script_ptys(sau_t)
+
+miscfiles_read_localization(sau_t)
+logging_send_syslog_msg(sau_t)
+allow sau_t self:fifo_file { read write };
+corecmd_exec_shell(sau_t)
+corecmd_exec_bin(sau_t)
+
+init_manage_script_service(sau_t)
+init_read_script_status_files(sau_t)
+allow sau_t initrc_state_t:lnk_file { getattr read };
+allow sau_t initrc_state_t:dir { search read };
 
 # Gentoo specific
 portage_domtrans(sau_t)
 
-
+dontaudit sau_t self:fifo_file { getattr ioctl };
-# postfix
-postfix_admin(sau_t, system_r)