On Fri, 2004-07-02 at 10:33, Russell Coker wrote: > Let's get back to basics and look at the concepts rather than AVC messages. > > /etc/rc.d/init.d/postgresql uses su to change uid to start the daemon, this is > a problem as it's not compatible with the usual su operation. Changing su is > not the right solution as we don't even need 1% of the functionality of su, > all we need is a way to call setregid() and setreuid() before executing the > script. I'm not sure if we already have a program we can use for this > purpose (sudo is not suitable). The daemon() macro in /etc/init.d/functions includes a --user option that causes it to run the command via su in the specified user identity (su -s /bin/bash - $user -c ...). So it appears that this is not an uncommon/unexpected practice for running daemons in a non-root uid without requiring a separate wrapper program. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency