On Sat, 19 Jan 2002, Russell Coker wrote:

> I am considering how to make SE Linux integrate smoothly with Debian
> regarding the startup of daemons.
>
> Requiring everyone to change all their init scripts is out of the question of
> course.
>
> One thing I have played with is setting the security contexts so that the
> daemon automatically changes to the correct domain on startup from the
> sysadm_t domain such as the following (and also a minor matching change to
> rbac to make it allow root:sysadm_r:sshd_t):
>
> domain_auto_trans(sysadm_t , sshd_exec_t, sshd_t)
>
> This is minorly ugly, involves more rules than I'd like, but has the benefit
> that running "sshd" at the command line gets the same result as
> "/etc/init.d/ssh start".
>
> The other option is to divert /sbin/start-stop-daemon which is used by Debian
> for starting most (should be all) daemons. Then my replacement script would
> call run_init to run the real start-stop-daemon.
>
> Any comments on the relative merits of these two schemes?
>
> I realise that the recommended way is probably run_init (it was written for a
> reason), but how bad an idea is it to not use it?

Obviously, we would recommend using run_init. The other scheme has the following limitations:
1) It only sets the domain of the daemon process, not the user identity or role, whereas run_init ensures that the complete security context is set correctly,
2) It doesn't provide any safeguard to ensure that the administrator truly wants to start or restart a system process (as opposed to some malicious code run by the administrator), whereas run_init requires the administrator to re-authenticate to confirm the action, 3) It requires significant duplication of rules between the initrc_t domain and the sysadm_t domain.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.