transition from init_rc

[Tracy Reed]

I think I'm really close to having this policy finished and working, just a
couple things to work out...

When I exercise my app and then run audit2allow and it says:

#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule: 
allow myapp_t default_t:dir search;
allow myapp_t default_t:dir read;
allow myapp_t default_t:file execmod;
allow myapp_t myapp_bin_t:file write;

does it mean only the first line is an constraint violation? Or are all of
those constraint violations?

How does one typically deal with constraint violations? By attribute above I
suppose it means a type attribue but how do I know which one to add?

Then I have these:

#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule: 
allow initrc_t default_t:file relabelto;

#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule: 
allow initrc_t myapp_api_t:file relabelto;

The init script which starts the service relabels the files when the service
starts. I suspect this is a bad idea and I'm not sure why they are doing it. I
think they may be applying security categories here. We may have to find a
different way to approach that.

But how would I allow this if I wanted to? 

Similarly:

#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule: 
allow setfiles_t default_t:file relabelfrom;

#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.
#Contraint rule: 
allow setfiles_t myapp_api_t:file relabelfrom;

etc...

This is all on CentOS 6.5.

Thanks!

-- 
Tracy Reed