Package: initscripts Version: 2.86.ds1-20 Severity: normal For SELinux domain transition purposes, it would be good to have the logsave invocations split out from the init scripts into separate scripts (that may even boil down to something like this:) --- #!/bin/sh FSCK_LOGFILE=$(shift) exec logsave -s $FSCK_LOGFILE fsck "$@" ---
SELinux domain transitions happen on exec(), then there are usually no changes to the applications required. Init scripts should be labeled initrc_exec_t, and will be executed as initrc_t; this domain has e.g. the permission to talk to the init process, read and write pid files etc. The initrc_t domain probably should not be given write access to the fsck log files, so some domain transition needs to happen. logsave, while currently being only used by the check*.sh initscripts is likely meant to be used by other applications as well, so labeling it as fsck_exec_t is not appropriate. A simple wrapper as suggested above could help her as SELinux transition point. This would allow logsave to be executed as fsck_t, and restirct access to the fsck log files tightly. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
