Jimmy Wennlund schrieb: > tis 2006-06-06 klockan 11:38 +0200 skrev dragoran: > >> Hello >> I am still working on the selinux stuff (does not work as exepted yet). >> Please look at this bug report: >> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179761 >> (the last few comments). >> > > Im pretty busy at the moment > > ok no problem I am now busy too ;) had one free week and wanted to code something >> 1.) having initng as a plugin does not seem to be a good idea, because >> it must be started before initng opens any fd. >> after boot initng runs as kernel_t then the selinux code loads the >> policy and restarts initng by calling /sbin/initng. >> then initng becomes init_t but the problem is that the fds are still >> kernel_t which the policy does not allow access to processes like >> mount,etc. >> so loading the policy should be the first thing initng does (then it >> restarts it self and can do its tasks). >> ->the selinux init code needs to be moved out of the plugin and added to >> the main function (inside ifdefs) >> > Okay, you are free to put the code back in. > > ok will do that >> 2.) initng seems to execute daemons directly the check if it is a script >> or not does not work the solution would be to start all daemons using sh >> -c /sbin/udevd (for example) >> is this possible somehow? I don't think that it would add any noticeable >> overhead. >> can a plugin (via hook) change the exec daemon value? >> the selinux plugin only has to replace it by sh -c "oldexecstr" >> >> > That is a little to much overhead, is it not better to see if the script > has a context set, and if not set one? > > this won't work because init is only allowed to directly trans to initrc_t (sh is autotransed to the service's domain) if using sh is to much overhead would it be less overhead to have a simple helper app that does this? other question: where is the code that starts the daemons? (those how are noted exec daemon= ... in the ifiles) > > Sorry for not beeing availbe mutch, i work a lot, every free time i get > i try to make som small coding.. > > ok no problem at all > /Jimmy > >
-- _______________________________________________ Initng mailing list [email protected] http://jw.dyndns.org/mailman/listinfo/initng
