/etc/init.d/ script

[Russell Coker]

On Thursday 06 January 2005 02:03, Bogdan Agica <bagica at bitdefender.com> 
wrote:
> 1. Relabel the script from initrd_exec_t to something else,
> in which case I'll run into problems starting / stopping the programs.

You could have the init.d script call something else to do the work.  So you 
split the script into a worker script in /usr/sbin and a start script in the 
init.d directory that just calls the worker.

> 2. Give read access to initrd_t in bitdefender_etc_t and _lib_t,
> which I think is a stupid workaround, providing read access to all
> scripts in /etc/init.d to this dir.

That's the usual approach.  Not ideal but not too bad either.  What is the 
bitdefender data?  initrc_t is a very powerful domain that can break your 
system in many ways.  Protecting files from it provides little benefit with 
the way things work now.

> I know, the best idea would to leave the /etc/init.d/ script for
> starting and stopping the program, and to provide all the other
> functionality via other means, but that is not feasible in the short
> term.

It's not difficult to split a shell script into two shell scripts.

> Is there any way to "inherit" a type (C++like inheritance), e.g. to
> create a type (say bitdefender_initrc_exec_t), which inherits all the
> attributes of it's successor, but adds new functionality? (Would be a
> nice idea if there isn't yet)

No.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page