Debian Bug report logs - #390067
initscripts: SELinux and log saving in /etc/init.d/check*.sh

version graph

Package: initscripts; Maintainer for initscripts is Debian sysvinit maintainers <pkg-sysvinit-devel@lists.alioth.debian.org>; Source for initscripts is src:sysvinit.

Reported by: Erich Schubert <erich@debian.org>

Date: Fri, 29 Sep 2006 01:33:06 UTC

Severity: normal

Found in version sysvinit/2.86.ds1-20

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian sysvinit maintainers <pkg-sysvinit-devel@lists.alioth.debian.org>:
Bug#390067; Package initscripts. Full text and rfc822 format available.

Message #3 received at submit@bugs.debian.org (full text, mbox):

From: Erich Schubert <erich@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: initscripts: SELinux and log saving in /etc/init.d/check*.sh
Date: Fri, 29 Sep 2006 02:52:36 +0200
Package: initscripts
Version: 2.86.ds1-20
Severity: normal

For SELinux domain transition purposes, it would be good to have the
logsave invocations split out from the init scripts into separate
scripts (that may even boil down to something like this:)
---
#!/bin/sh
FSCK_LOGFILE=$(shift)
exec logsave -s $FSCK_LOGFILE fsck "$@"
---

SELinux domain transitions happen on exec(), then there are usually no
changes to the applications required.
Init scripts should be labeled initrc_exec_t, and will be executed as
initrc_t; this domain has e.g. the permission to talk to the init
process, read and write pid files etc.
The initrc_t domain probably should not be given write access to the
fsck log files, so some domain transition needs to happen.
logsave, while currently being only used by the check*.sh initscripts is
likely meant to be used by other applications as well, so labeling it as
fsck_exec_t is not appropriate. A simple wrapper as suggested above
could help her as SELinux transition point. This would allow logsave to
be executed as fsck_t, and restirct access to the fsck log files
tightly.



Information forwarded to debian-bugs-dist@lists.debian.org, Debian sysvinit maintainers <pkg-sysvinit-devel@lists.alioth.debian.org>:
Bug#390067; Package initscripts. Full text and rfc822 format available.

Acknowledgement sent to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Debian sysvinit maintainers <pkg-sysvinit-devel@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #8 received at 390067@bugs.debian.org (full text, mbox):

From: Petter Reinholdtsen <pere@hungry.com>
To: 390067@bugs.debian.org, Erich Schubert <erich@debian.org>
Subject: Re: initscripts: SELinux and log saving in /etc/init.d/check*.sh
Date: Tue, 03 Oct 2006 20:32:35 +0200
[Erich Schubert]
> For SELinux domain transition purposes, it would be good to have the
> logsave invocations split out from the init scripts into separate
> scripts (that may even boil down to something like this:)

Patches are most welcome.  One idea I am contemplating is to store
these logs and other logs in /lib/init/rw/, and add a script after the
mountnfs step to copy all the lots into /var/log/ when all the file
systems are mounted.  It is not high priority, though, so I have not
started looking into this yet.

Friendly,
-- 
Petter Reinholdtsen



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 06:05:45 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.