4825 – services should be started via run_init on SELinux systems

Bug 4825 - services should be started via run_init on SELinux systems

Summary: services should be started via run_init on SELinux systems

Status:	CLOSED INVALID

Alias:	None

Product:	ThinLinc
Classification:	Unclassified
Component:	Other (show other bugs)
Version:	trunk
Hardware:	PC Unknown

Importance:	P2 Normal
Target Milestone:	4.12.0
Assignee:	Peter Åstrand

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-10-04 09:48 CEST by Pierre Ossman
Modified:	2020-06-29 09:43 CEST (History)
CC List:	0 users

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Pierre Ossman cendio

2013-10-04 09:48:35 CEST

You should not start and stop services directly on SELinux systems as they might end up in a different context compared to when they are started on boot. We seem to have gotten away with this with the targeted policy, but the mls policy is not as forgiving.

The proper way is to run them via the run_init helper program. It invokes PAM so that pam_selinux can do a proper context switch first. Unfortunately it seems to be configured to require a password by default, so it could be difficult to automate.

This affects at least tl-setup and tlwebadm. Also probably not an issue with systemd as systemctl doesn't directly start the process.

Comment 1 Pierre Ossman cendio

2013-10-04 09:49:35 CEST

Also, tl-setup currently gives a traceback with the mls policy. A first step could be cleaning that up and giving better user feedback.

Comment 2 Pierre Ossman cendio

2018-03-20 13:28:09 CET

This might not be relevant for many systems anymore as these days we use systemctl to start our services. So only systems that use SELinux but not systemd will be affected by this.

Comment 3 Pierre Ossman cendio

2020-06-29 09:43:39 CEST

We now require systemd, so this bug is no longer relevant.

Note You need to log in before you can comment on or make changes to this bug.