Hi everybody.
First of all, let me introduce myself. My name is Bogdan Agica and I'm in the Linux team for the BitDefender Antivirus.
I'm responsible with the SELinux integration of BitDefender and I seem to have some issues with dropping privileges. The startup scripts rely on sudo in order to drop privileges in a standard linux system. I have written the test policy for the postfix agent, which works fine if the programs are started as root (not via the startup scripts); however the final policy is supposed to integrate seamlessly with the product.
In the /etc/init.d script, the programs (5 of them) are started by comands like: # sudo -u bitdefender /opt/BitDefender/bin/bdcored start
I have looked at the files domains/program/sudo.te and macros/program/sudo_macros.te. Unfortunately, the lack of documentation for the sudo_domain() macro was a problem, so I have some questions:
1. What exactly does the sudo_domain() macro do? 2. Is this the tool that I need? (i have tried to integrate it with the policy, but it resulted in errors)
I'm using FC3, and the following packages: # rpm -qa | grep -i selinux selinux-policy-strict-1.19.10-2 selinux-policy-targeted-sources-1.17.30-2.51 selinux-doc-1.14.1-1 libselinux-1.19.1-8 selinux-policy-targeted-1.17.30-2.51 selinux-policy-strict-sources-1.19.10-2
Of course, should anyone want to look at the beta policy that I've written, I can provide it, and the software itself is available on the company's ftp site.
TIA,
Bogdan Agica wrote:
<snip> In the /etc/init.d script, the programs (5 of them) are started by comands like: # sudo -u bitdefender /opt/BitDefender/bin/bdcored start
I have looked at the files domains/program/sudo.te and macros/program/sudo_macros.te. Unfortunately, the lack of documentation for the sudo_domain() macro was a problem, so I have some questions:
- What exactly does the sudo_domain() macro do?
- Is this the tool that I need? (i have tried to integrate it with the
policy, but it resulted in errors)
<snip>
There is a program "runuser" in the coreutils package that was designed and written to be used in place of "su" and possibly "sudo" in this situation. See "man runuser" and postgresql for an example where it is used. HTH Richard Hally
On Fri, 2004-12-17 at 07:35 -0500, Richard Hally wrote:
There is a program "runuser" in the coreutils package that was designed and written to be used in place of "su" and possibly "sudo" in this situation. See "man runuser" and postgresql for an example where it is used.
Thanx for the answer. runuser seems to be working ok, and we're probably going to replace sudo in the forecoming install scripts. (Actually, from what I've learnt, it's just su without correct_password() )
When do you think runuser goes mainstream? Because, as far as I have checked, it's only in FC3 with selinux (not in Debian, and not in Gentoo).
Thanks again for the prompt answer,
On Saturday 18 December 2004 03:48, Bogdan Agica bagica@bitdefender.com wrote:
When do you think runuser goes mainstream? Because, as far as I have checked, it's only in FC3 with selinux (not in Debian, and not in Gentoo).
Debian has a program called start-stop-daemon which is similar to runuser but has some extra features. Gentoo will get something equivalent too (they have to).
selinux@lists.fedoraproject.org
-
Bogdan Agica -
Richard Hally -
Russell Coker