On 12/15/2014 6:32 AM, eric gisse wrote:
> In tracking down some related issues, the subject of the helper
> program /usr/sbin/open_init_pty came up.
>
> This gets called by run_init as the final step for running a program
> in the initrc context, like this:
>
> if (execvp("/usr/sbin/open_init_pty", argv)) {
> perror("execvp");
> exit(-1);
> }
>
> The context for this problem is the discovery that open_init_pty
> doesn't play well with others by refusing to pass along return codes.
> Eg, run_init from stock will always return 0.
>
> Debian fixes this problem by fixing open_init_pty to return status
> codes, redhat bypasses it in favor of execvp(), and gentoo uses stock
> and is evaluating its' options.
>
> What I'm trying to figure out is, is the function of open_init_pty in
> the general sense.
>
> Init scripts don't generally get a pty, so I don't understand the
> necessity and hope someone here can shed a little light on this.
Most daemons will print early error messages before reopening their
stdin/out/err to /dev/null. The purpose of open_init_pty is to provide
an isolated stdin/out/err for the init scripts and daemons. Without it,
we'd have to allow all daemons to read/write sysadm/unconfined
terminals, which opens those highly-privileged users to attack.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
