Re: start of patch to dpkg's start-stop-daemon

[Luke Kenneth Casson Leighton <lkcl@lkcl.net>]

On Fri, May 21, 2004 at 01:32:17AM +1000, Russell Coker wrote:
> On Thu, 20 May 2004 18:43, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > it's a patch to dpkg 1.10.21's utils/start-stop-daemon.c
> > which causes a context switch just before
> > the setuid/setgid calls.
> 
> What is the benefit in that?
 
 uhm...

 mmm...
 
 it's easier than breaking pre-existing /etc/init.d/* scripts where 
 people expect the -u option to act as it should?

 in other words, the benefit in patching start-stop-daemon is to
 provide legacy transition support.

 i _really_ don't want the -u option on my custom /etc/init.d/custom
 script to suddenly start running the daemon as root.

 as an inexperienced SE/Linux user i might not _know_ that i have to
 write a domain_auto_trans() rule in the /etc/selinux policy.

 therefore all of a sudden, by upgrading to SE/Linux i suddenly have
 my -u option effectively ignored.

 under which circumstances, what you are saying is that
 because the script will run as system_u:system_r:initrc_t,
 and because that context will not have (shouldn't have!)
 permission to do anything outrageous, my startup script will
 break.

 well, that's better than nothing (an "i can't... " is a LOT
 better than "i didn't know it could...") , but it's still a pain.

 
 so, the benefit is: not so much pain.

 is that a good enough reason?

 sincerely,

 l.


> start-stop-daemon is designed to be run from a /etc/init.d/* script.  That 
> script will run as system_u:system_r:initrc_t and there will be a 
> domain_auto_trans() rule to cause the daemon to be started as 
> system_u:system_r:whatever_t.
> 
> start-stop-daemon is also run from cron jobs, in that case it will run as 
> system_u:system_r:system_crond_t (in which case the program it runs will have 
> any appropriate domain transition automatically), or it will run as the cron 
> domain for the daemon (IE the script that calls start-stop-daemon has a 
> domain transition *) and again it doesn't need to do anything special.
> 
> *)  domain_auto_trans() rules that allow script execution to have more privs 
> than the calling code is bad.  But having the script execute with less privs 
> is OK (not great but OK).
> 
> -- 
> http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
> http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
> http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
> http://www.coker.com.au/~russell/  My home page

-- 
-- 
expecting email to be received and understood is a bit like
picking up the telephone and immediately dialing without
checking for a dial-tone; speaking immediately without listening
for either an answer or ring-tone; hanging up immediately and
believing that you have actually started a conversation.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.