Bug#390067: initscripts: SELinux and log saving in /etc/init.d/check*.sh
control: severity -1 wishlist control: tags -1 +moreinfo [2006-09-29 02:52] Erich Schubert > For SELinux domain transition purposes, it would be good to have the > logsave invocations split out from the init scripts into separate > scripts (that may even boil down to something like this:) > --- > #!/bin/sh > FSCK_LOGFILE=$(shift) > exec logsave -s $FSCK_LOGFILE fsck "$@" > --- > [...] Today, as 13 years ago we need patches. Or, at least, someone who are willing to test what I can write based on provided description: I am not selinux user. Dear submitter, are you still interested in this feature? -- Note, that I send and fetch email in batch, once every 24 hours. If matter is urgent, try https://t.me/kaction --
Bug#390067: initscripts: SELinux and log saving in /etc/init.d/check*.sh
[Erich Schubert] For SELinux domain transition purposes, it would be good to have the logsave invocations split out from the init scripts into separate scripts (that may even boil down to something like this:) Patches are most welcome. One idea I am contemplating is to store these logs and other logs in /lib/init/rw/, and add a script after the mountnfs step to copy all the lots into /var/log/ when all the file systems are mounted. It is not high priority, though, so I have not started looking into this yet. Friendly, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#390067: initscripts: SELinux and log saving in /etc/init.d/check*.sh
Package: initscripts Version: 2.86.ds1-20 Severity: normal For SELinux domain transition purposes, it would be good to have the logsave invocations split out from the init scripts into separate scripts (that may even boil down to something like this:) --- #!/bin/sh FSCK_LOGFILE=$(shift) exec logsave -s $FSCK_LOGFILE fsck $@ --- SELinux domain transitions happen on exec(), then there are usually no changes to the applications required. Init scripts should be labeled initrc_exec_t, and will be executed as initrc_t; this domain has e.g. the permission to talk to the init process, read and write pid files etc. The initrc_t domain probably should not be given write access to the fsck log files, so some domain transition needs to happen. logsave, while currently being only used by the check*.sh initscripts is likely meant to be used by other applications as well, so labeling it as fsck_exec_t is not appropriate. A simple wrapper as suggested above could help her as SELinux transition point. This would allow logsave to be executed as fsck_t, and restirct access to the fsck log files tightly. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
