/var/run/directory/

[Russell Coker]

On Tue, 5 Oct 2004 00:23, Chris Adams <cmadams at hiwaay.net> wrote:
> I opened a Bugzilla requesting enhancement to the init.d functions a
> couple of years ago because of this:
>
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=63440

When sending a signal to a daemon to be sure that we get things right we need 
to check:

PID number in pidfile (which needs to be in a subdirectory for a non-root 
process to be able to restart itself).

Executable that is being run.  If the daemon crashes and another process gets 
the same pid then we don't want to kill the wrong thing, checking that the 
program matches the daemon is a good way to do it.  The start-stop-daemon 
program used in Debian does this.  One issue with such checks is that you 
must stop the daemon before upgrading it, otherwise an attempt to stop it 
will fail because the executable for the daemon no longer exists.

For SE Linux we also want to check the security context.  It's not difficult 
to ask the kernel what happens when the domain specified 
in /etc/selinux/strict/contexts/initrc_context executes the type of the 
executable for the daemon and then check that the process to be killed is 
running in the domain in question.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page