>>SELinux Mailing List

Contents

Overview

What's New

Frequently Asked Questions

Background

Documentation

License

Download

Participating

Mail List

Archive Summary

Archive by Thread

Archive by Author

Archive by Date

Archive by Subject

Remaining Work

Contributors

Related Work

Press Releases

Re: starting daemons under Debian

From: Russell Coker <russell_at_coker.com.au>
Date: Sun, 20 Jan 2002 12:45:27 +0100

On Sun, 20 Jan 2002 07:49, Manoj Srivastava wrote:
> >>"Russell" == Russell Coker <russell@coker.com.au> writes:
>
> Russell> One thing I have played with is setting the security
> Russell> contexts so that the daemon automatically changes to the
> Russell> correct domain on startup from the sysadm_t domain such as
> Russell> the following (and also a minor matching change to rbac to
> Russell> make it allow root:sysadm_r:sshd_t):
>
> Russell> domain_auto_trans(sysadm_t , sshd_exec_t, sshd_t)
>
> Russell> This is minorly ugly, involves more rules than I'd like, but
> Russell> has the benefit that running "sshd" at the command line gets
> Russell> the same result as "/etc/init.d/ssh start".
>
> Russell> The other option is to divert /sbin/start-stop-daemon which
> Russell> is used by Debian for starting most (should be all) daemons.
> Russell> Then my replacement script would call run_init to run the
> Russell> real start-stop-daemon.
>
> But you lose the option to start sshd on the command line,
> don't you?

You lose the option to type "sshd" to start it, but you don't lose the option to type "/etc/init.d/ssh start".

> Russell> Any comments on the relative merits of these two schemes?
>
> Putting on my Debian hat, I'd prefer the former, all else
> being the same. I'd also like to investigate the possibility of
> packages providing the recommended additions to policy, which can be
> used by the policy admin as a guide to what rules may be needed to
> utilize a package to the fullest capacity (I would not, of course,
> skip the human oversight step and automate the process).

Good point.

I think that we need a program to modify devfs_contexts and file_contexts and run chsid (for devfs_contexts) and give the option of either relabeling or running chsid for changes to file_contexts. Also we need some sort of program that operates in a similar fashion to useradd for the rbac file.

All of this needs to ask sane questions of the user.

PS We'll have to use chsid not chcon because chcon isn't in the base package.

-- 
http://www.coker.com.au/bonnie++/     Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/       Postal SMTP/POP benchmark
http://www.coker.com.au/projects.html Projects I am working on
http://www.coker.com.au/~russell/     My home page

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Received on Sun 20 Jan 2002 - 06:56:17 EST

This message: [ Message body ]
Next message: Lonnie Cumberland: "restricted guest domain accounts"
Previous message: Manoj Srivastava: "Re: starting daemons under Debian"
In reply to: Manoj Srivastava: "Re: starting daemons under Debian"
Next in thread: Stephen Smalley: "Re: starting daemons under Debian"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:26 EDT