Russell Coker (russell@xxxxxxxxxxxx) said: > Currently in the strict policy every daemon is permitted to create files > under /var/run. The problem is that a daemon which runs as root can (if > compromised) create /var/run files with the names used by other daemons if > the daemon is not running at the time. This interferes with stopping and > starting daemons. > > The solution to this is to have a directory under /var/run for each daemon and > give write access to that directory only to the daemon that uses it. For > daemons that run as non-root this also makes things easier for non-SE systems > as there is no need to create a pidfile such as /var/run/sm-client.pid and > chown it, the directory can just have the permissions needed to allow file > creation by the daemon. > > Can anyone think of a reason not to do this? Or should I just start filing > bugzilla entries against all packages that have /var/run/daemon.pid files? Well, it will break parts of the initscripts if it's just done in the daemons. :) Bill
