/var/run/directory/
Russell Coker
russell at coker.com.au
Thu Oct 7 03:02:10 UTC 2004
On Tue, 5 Oct 2004 00:23, Chris Adams <cmadams at hiwaay.net> wrote:
> I opened a Bugzilla requesting enhancement to the init.d functions a
> couple of years ago because of this:
>
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=63440
When sending a signal to a daemon to be sure that we get things right we need
to check:
PID number in pidfile (which needs to be in a subdirectory for a non-root
process to be able to restart itself).
Executable that is being run. If the daemon crashes and another process gets
the same pid then we don't want to kill the wrong thing, checking that the
program matches the daemon is a good way to do it. The start-stop-daemon
program used in Debian does this. One issue with such checks is that you
must stop the daemon before upgrading it, otherwise an attempt to stop it
will fail because the executable for the daemon no longer exists.
For SE Linux we also want to check the security context. It's not difficult
to ask the kernel what happens when the domain specified
in /etc/selinux/strict/contexts/initrc_context executes the type of the
executable for the daemon and then check that the process to be killed is
running in the domain in question.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-devel-list
mailing list