On 12/15/2014 6:32 AM, eric gisse wrote: > In tracking down some related issues, the subject of the helper > program /usr/sbin/open_init_pty came up. > > This gets called by run_init as the final step for running a program > in the initrc context, like this: > > if (execvp("/usr/sbin/open_init_pty", argv)) { > perror("execvp"); > exit(-1); > } > > The context for this problem is the discovery that open_init_pty > doesn't play well with others by refusing to pass along return codes. > Eg, run_init from stock will always return 0. > > Debian fixes this problem by fixing open_init_pty to return status > codes, redhat bypasses it in favor of execvp(), and gentoo uses stock > and is evaluating its' options. > > What I'm trying to figure out is, is the function of open_init_pty in > the general sense. > > Init scripts don't generally get a pty, so I don't understand the > necessity and hope someone here can shed a little light on this. Most daemons will print early error messages before reopening their stdin/out/err to /dev/null. The purpose of open_init_pty is to provide an isolated stdin/out/err for the init scripts and daemons. Without it, we'd have to allow all daemons to read/write sysadm/unconfined terminals, which opens those highly-privileged users to attack. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.