From 59546a8d1805b1767a204feb1e1ce16c2945f590 Mon Sep 17 00:00:00 2001
From: Barbora Ancincova <bancinco@redhat.com>
Date: Oct 17 2014 14:16:45 +0000
Subject: BZ#1153540-initrc_t → unconfined_service_t


Conflicts:
	en-US/part_I/Troubleshooting.xml

---

diff --git a/en-US/part_I/Targeted_Policy.xml b/en-US/part_I/Targeted_Policy.xml
index fb9862b..bc20e44 100644
--- a/en-US/part_I/Targeted_Policy.xml
+++ b/en-US/part_I/Targeted_Policy.xml
@@ -5,7 +5,7 @@
 <chapter id="chap-Security-Enhanced_Linux-Targeted_Policy">
 	<title>Targeted Policy</title>
 	<para>
-		Targeted policy is the default SELinux policy used in &PRODUCT;. When using targeted policy, processes that are targeted run in a confined domain, and processes that are not targeted run in an unconfined domain. For example, by default, logged-in users run in the <systemitem>unconfined_t</systemitem> domain, and system processes started by init run in the <systemitem>initrc_t</systemitem> domain; both of these domains are unconfined.
+		Targeted policy is the default SELinux policy used in &PRODUCT;. When using targeted policy, processes that are targeted run in a confined domain, and processes that are not targeted run in an unconfined domain. For example, by default, logged-in users run in the <systemitem>unconfined_t</systemitem> domain, and system processes started by init run in the <systemitem>unconfined_service_t</systemitem> domain; both of these domains are unconfined.
 	</para>
 	<para>
 		Unconfined domains (as well as confined domains) are subject to executable and writeable memory checks. By default, subjects running in an unconfined domain cannot allocate writeable memory and execute it. This reduces vulnerability to buffer overflow attacks. These memory checks are disabled by setting Booleans, which allow the SELinux policy to be modified at runtime. Boolean configuration is discussed later.
@@ -161,7 +161,7 @@ type=SYSCALL msg=audit(1220706212.937:70): arch=40000003 syscall=196 success=no 
 	<section id="sect-Security-Enhanced_Linux-Targeted_Policy-Unconfined_Processes">
 		<title>Unconfined Processes</title>
 		<para>
-			Unconfined processes run in unconfined domains, for example, init programs run in the unconfined <systemitem>initrc_t</systemitem> domain, unconfined kernel processes run in the <systemitem>kernel_t</systemitem> domain, and unconfined Linux users run in the <systemitem>unconfined_t</systemitem> domain. For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running in unconfined domains almost all access. Processes running in unconfined domains fall back to using DAC rules exclusively. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but of course, DAC rules are still used. SELinux is a security enhancement on top of DAC rules &ndash; it does not replace them.
+			Unconfined processes run in unconfined domains, for example, init programs run in the unconfined <systemitem>unconfined_service_t</systemitem> domain, unconfined kernel processes run in the <systemitem>kernel_t</systemitem> domain, and unconfined Linux users run in the <systemitem>unconfined_t</systemitem> domain. For unconfined processes, SELinux policy rules are applied, but policy rules exist that allow processes running in unconfined domains almost all access. Processes running in unconfined domains fall back to using DAC rules exclusively. If an unconfined process is compromised, SELinux does not prevent an attacker from gaining access to system resources and data, but of course, DAC rules are still used. SELinux is a security enhancement on top of DAC rules &ndash; it does not replace them.
 		</para>
                 <para>
                         To ensure that SELinux is enabled and the system is prepared to perform the following example, complete the <xref linkend="proc-How_to_Verify_SELinux_Status" /> described in <xref linkend="sect-Security-Enhanced_Linux-Targeted_Policy-Confined_Processes" />. 
diff --git a/en-US/part_I/Troubleshooting.xml b/en-US/part_I/Troubleshooting.xml
index 4c36cf2..e3ca2ba 100644
--- a/en-US/part_I/Troubleshooting.xml
+++ b/en-US/part_I/Troubleshooting.xml
@@ -538,7 +538,7 @@ type=SYSCALL msg=audit(1226874073.147:96): arch=40000003 syscall=196 success=no 
 			<itemizedlist>
 				<listitem>
 					<para>
-						<computeroutput>success=<replaceable>no</replaceable></computeroutput>: indicates whether the denial (AVC) was enforced or not. <computeroutput>success=no</computeroutput> indicates the system call was not successful (SELinux denied access). <computeroutput>success=yes</computeroutput> indicates the system call was successful. This can be seen for permissive domains or unconfined domains, such as <systemitem>initrc_t</systemitem> and <systemitem>kernel_t</systemitem>.
+						<computeroutput>success=<replaceable>no</replaceable></computeroutput>: indicates whether the denial (AVC) was enforced or not. <computeroutput>success=no</computeroutput> indicates the system call was not successful (SELinux denied access). <computeroutput>success=yes</computeroutput> indicates the system call was successful. This can be seen for permissive domains or unconfined domains, such as <systemitem>unconfined_service_t</systemitem> and <systemitem>kernel_t</systemitem>.
 					</para>
 				</listitem>
 				<listitem>