On Tue, 30 Nov 2010 17:01:16 -0500
Tom Lane <tgl(a)redhat.com> wrote:
Paul Howarth <paul(a)city-fan.org> writes:
> Paul Wouters <paul(a)xelerance.com> wrote:
>> Can't selinux pickup things without a restorecon? And what is the
>> problem another (root) process screwing over a pid or lock file?
>> Can't SElinux lock that down from the /var/run level?
> /var/run is var_run_t in targeted policy, but hardly anything below
> /var/run is - almost every subdir/file has its own context type.
> Just creating a file/directory within /var/run using the initscript
> will inherit the var_run_t, which in most cases is not what's
> needed, hence the need for restorecon.
> Having the daemon create the file/dir works better because there
> will be a type transition defined in policy that results in the
> correct context type being used.
That comment suggests you don't even understand the reason why those
subdirectories exist. It's this: the daemons do not, and should not,
run with the root privileges needed to create things directly in
/var/run. The point of a subdirectory is to be owned by the
lower-privilege account under which the particular daemon is running.
If the subdir has to be remade at runtime, that has to be done by the
root-privilege initscript, because /var/run is only writable by root.
Except for the cases where the daemon starts as root in order to do
things like bind to privileged ports, create subdir under /var/run for
its own purposes, write a pidfile to /var/run etc. and then drop
privileges like a good daemon should...
Paul.