[Pkg-sysvinit-devel] Bug#390067: initscripts: SELinux and log saving in /etc/init.d/check*.sh

Erich Schubert erich at debian.org
Fri Sep 29 00:52:36 UTC 2006


Package: initscripts
Version: 2.86.ds1-20
Severity: normal

For SELinux domain transition purposes, it would be good to have the
logsave invocations split out from the init scripts into separate
scripts (that may even boil down to something like this:)
---
#!/bin/sh
FSCK_LOGFILE=$(shift)
exec logsave -s $FSCK_LOGFILE fsck "$@"
---

SELinux domain transitions happen on exec(), then there are usually no
changes to the applications required.
Init scripts should be labeled initrc_exec_t, and will be executed as
initrc_t; this domain has e.g. the permission to talk to the init
process, read and write pid files etc.
The initrc_t domain probably should not be given write access to the
fsck log files, so some domain transition needs to happen.
logsave, while currently being only used by the check*.sh initscripts is
likely meant to be used by other applications as well, so labeling it as
fsck_exec_t is not appropriate. A simple wrapper as suggested above
could help her as SELinux transition point. This would allow logsave to
be executed as fsck_t, and restirct access to the fsck log files
tightly.




More information about the Pkg-sysvinit-devel mailing list