Once upon a time, Bill Nottingham <notting(a)redhat.com> said:
Jon Ciesla (limb(a)jcomserv.net) said:
> My thoughts exactly. What are the less simple fixes that don't change
> this behaviour?
Essentially, introducing new scripts solely for this purpose that can
be given a special label and some policy. It's a hack.
It seems that some prefer bash (dash would probably be better as a
lighter-weight and less-dependencies shell) and some prefer sulogin
(which I think should be "sulogin -e", but that may just be me), and
that this should be called from multiple places (single-user mode, fsck
failures).
It may seem like a hack, but it would seem to me that an external script
or program would be the right way to go, to allow people to change it
according to local policy. On a desktop system (where it seems the goal
is to eliminate the all-powerful "root"), the password may be unknown or
not even set, so requiring the root password would be a bad idea. Some
server setups may require a password in every case (including failure
modes).
If it is done with an external script/program, rc.sysinit should be
changed as well (and since this should handle SELinux correctly, the
disabling/enabling of SELinux could be removed).
--
Chris Adams <cmadams(a)hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.