I am considering how to make SE Linux integrate smoothly with Debian regarding the startup of daemons.  

Requiring everyone to change all their init scripts is out of the question of course.

One thing I have played with is setting the security contexts so that the daemon automatically changes to the correct domain on startup from the sysadm_t domain such as the following (and also a minor matching change to rbac to make it allow root:sysadm_r:sshd_t):

domain_auto_trans(sysadm_t , sshd_exec_t, sshd_t)

This is minorly ugly, involves more rules than I'd like, but has the benefit that running "sshd" at the command line gets the same result as "/etc/init.d/ssh start".

The other option is to divert /sbin/start-stop-daemon which is used by Debian for starting most (should be all) daemons. Then my replacement script would call run_init to run the real start-stop-daemon.

Any comments on the relative merits of these two schemes?

I realise that the recommended way is probably run_init (it was written for a reason), but how bad an idea is it to not use it?

-- 
http://www.coker.com.au/bonnie++/     Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/       Postal SMTP/POP benchmark
http://www.coker.com.au/projects.html Projects I am working on
http://www.coker.com.au/~russell/     My home page

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.