Questions

From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RZQnE-00019c-2C for garchives@archives.gentoo.org; Sat, 10 Dec 2011 17:33:00 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1DF7F21C057; Sat, 10 Dec 2011 17:32:52 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id DEA3A21C057 for ; Sat, 10 Dec 2011 17:32:51 +0000 (UTC) Received: from pelican.gentoo.org (unknown [66.219.59.40]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 617CE1B4013 for ; Sat, 10 Dec 2011 17:32:51 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by pelican.gentoo.org (Postfix) with ESMTP id A90B680042 for ; Sat, 10 Dec 2011 17:32:50 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <945eac4bc1e59dddac5681f5be0ce9139e9dfa69.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-docs:master commit in: xml/ X-VCS-Repository: proj/hardened-docs X-VCS-Files: xml/selinux-faq.xml X-VCS-Directories: xml/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 945eac4bc1e59dddac5681f5be0ce9139e9dfa69 Date: Sat, 10 Dec 2011 17:32:50 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 1aff9bcc-76ac-4745-a21e-ba9c3edf09e9 X-Archives-Hash: d0da673776e3c19bcbd66651025ed834 commit: 945eac4bc1e59dddac5681f5be0ce9139e9dfa69 Author: Sven Vermeulen siphos be> AuthorDate: Sat Dec 10 17:31:46 2011 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Sat Dec 10 17:31:46 2011 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=3Dproj/hardened-docs= .git;a=3Dcommit;h=3D945eac4b Adding FAQ on run_init authentication --- xml/selinux-faq.xml | 38 ++++++++++++++++++++++++++++++++++++-- 1 files changed, 36 insertions(+), 2 deletions(-) diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml index 09b04ab..cff0308 100644 --- a/xml/selinux-faq.xml +++ b/xml/selinux-faq.xml @@ -17,8 +17,8 @@ The FAQ is a collection of solutions found on IRC, mail= inglist, forums or elsewhere =20 -17 -2011-10-25 +18 +2011-12-10 =20 Questions @@ -812,5 +812,39 @@ file system mounted with nosuid. =20 +

+Why do I always need to re-authenticate when operating init scrip= ts? + + +

+When you, as an administrator, wants to launch or stop daemons, these ac= tivities +need to be done as system_u:system_r. Switching to this context s= et is a +highly privileged operation (since you are effectively leaving the user = context +and entering a system context) and hence the default setup requires the = user to +re-authenticate. +

+ +

+You can ask not to re-authenticate if you use PAM by editing +/etc/pam.d/run_init and adding the following line on top: +

+ +

+auth     sufficient     pam_rootok.so
+

+ +

+With this in place, you can now prepend your init script activities with +run_init and it will not ask for your password anymore: +

+ +

+# run_init rc-service local status
+Authenticating swift.
+ * status: started
+

+ + +