/etc/init.d/ script
Russell Coker
russell at coker.com.au
Thu Jan 6 10:31:54 UTC 2005
On Thursday 06 January 2005 02:03, Bogdan Agica <bagica at bitdefender.com>
wrote:
> 1. Relabel the script from initrd_exec_t to something else,
> in which case I'll run into problems starting / stopping the programs.
You could have the init.d script call something else to do the work. So you
split the script into a worker script in /usr/sbin and a start script in the
init.d directory that just calls the worker.
> 2. Give read access to initrd_t in bitdefender_etc_t and _lib_t,
> which I think is a stupid workaround, providing read access to all
> scripts in /etc/init.d to this dir.
That's the usual approach. Not ideal but not too bad either. What is the
bitdefender data? initrc_t is a very powerful domain that can break your
system in many ways. Protecting files from it provides little benefit with
the way things work now.
> I know, the best idea would to leave the /etc/init.d/ script for
> starting and stopping the program, and to provide all the other
> functionality via other means, but that is not feasible in the short
> term.
It's not difficult to split a shell script into two shell scripts.
> Is there any way to "inherit" a type (C++like inheritance), e.g. to
> create a type (say bitdefender_initrc_exec_t), which inherits all the
> attributes of it's successor, but adds new functionality? (Would be a
> nice idea if there isn't yet)
No.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the selinux
mailing list