>Currently in the strict policy every daemon is permitted to create files >under /var/run. Can they not be limited to 1 well known file in selinux? >The problem is that a daemon which runs as root can (if >compromised) create /var/run files with the names used by other daemons if >the daemon is not running at the time. This interferes with stopping and >starting daemons. There are only 3 daemons that I can think of that need to be root: sshd, xinetd, crond. That's because they start programs targeted for various accts. Almost all other daemons should drop root pretty quick. Without being root, they cannot overwrite pid files. The only daemons that you have to worry about are the ones that stay as root. How many stay as root? >For daemons that run as non-root this also makes things easier for non-SE >systems as there is no need to create a pidfile such as /var/run/sm-client.pid >and chown it, I don't buy this. The code is already there. Are you thinking to rewrite how every daemon records its pid? Or just to change the name of the pid file? These are 2 entirely different scopes of a fix. >Can anyone think of a reason not to do this? Well, you will need to maintain a bunch of patches. The daemon, spec file (to create the /var/run/daemon dir), and initscripts will need adjusting. The end user wouldn't really notice it since this magic occurs under the hood. I just question the scope of the problem - meaning how many daemons fall into this category of retaining root. And why can't selinux limit a daemon to 1 file in the /var/run directory. That file should be well known. -Steve Grubb _______________________________ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com