[DSE-User] selinux and /sbin/init INIT_PROG feature
Thomas Bleher
bleher at informatik.uni-muenchen.de
Wed Jan 11 14:06:02 UTC 2006
* Thomas Hood <jdthood at yahoo.co.uk> [2006-01-10 21:49]:
> Over in sysvinit land we are thinking of implementing #345741. This will allow root
> to tell init to exec an arbitrary program. (Currently init can only exec /sbin/init.)
> We are wondering, first, whether this creates any problems for selinux
First off, thanks for asking here!
I don't think it will create new problems for SELinux.
> and, second,
> whether the new feature can be disabled by means of an appropriate selinux configuration.
I don't think it can be disabled completely. There are two aspects which can be controlled by
SELinux:
1) Who can write to /dev/initctl
2) Which programs init may execute
1) is already tightly restricted; looking at my policy, only acpid, xdm,
lilo, /etc/init.d-scripts, cron (cron because of prelink, could be
disabled) and of course the sysadmin are allowed to write to /dev/initctl.
2) is a bit more open because init needs to execute a variety of
programs, but it's still restricted to "trusted" directories - in my
current policy, init my execute files under /{lib,bin,sbin} and /usr/{lib,bin,sbin}
plus /etc/init.d scripts plus on random script under /etc
(/etc/X11/prefdm, need to look at it one day).
So while you can't disable it completely you can control it reasonably;
I think from an SELinux POV it is OK to implement it - though of course
it should be properly documented so people know about it.
Thomas Bleher
More information about the Selinux-user
mailing list