[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: /var/run/directory/

>Currently in the strict policy every daemon is permitted to create files 
>under /var/run.  

Can they not be limited to 1 well known file in selinux?

>The problem is that a daemon which runs as root can (if 
>compromised) create /var/run files with the names used by other daemons if 
>the daemon is not running at the time.  This interferes with stopping and 
>starting daemons.

There are only 3 daemons that I can think of that need to be root: sshd, xinetd,
crond. That's because they start programs targeted for various accts. Almost all
other daemons should drop root pretty quick. Without being root, they cannot
overwrite pid files.

The only daemons that you have to worry about are the ones that stay as root. How
many stay as root? 

>For daemons that run as non-root this also makes things easier for non-SE 
>systems as there is no need to create a pidfile such as /var/run/sm-client.pid 
>and chown it, 

I don't buy this. The code is already there. Are you thinking to rewrite how
every daemon records its pid? Or just to change the name of the pid file? These
are 2 entirely different scopes of a fix.

>Can anyone think of a reason not to do this? 

Well, you will need to maintain a bunch of patches. The daemon, spec file (to
create the /var/run/daemon dir), and initscripts will need adjusting. The end
user wouldn't really notice it since this magic occurs under the hood.

I just question the scope of the problem - meaning how many daemons fall into
this category of retaining root. And why can't selinux limit a daemon to 1 file
in the /var/run directory. That file should be well known.

-Steve Grubb

Do you Yahoo!?
Declare Yourself - Register online to vote today!

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]