1 |
swift 11/12/11 13:53:22 |
2 |
|
3 |
Modified: selinux-faq.xml |
4 |
Log: |
5 |
Adding FAQ on running run_init without re-authenticating |
6 |
|
7 |
Revision Changes Path |
8 |
1.12 xml/htdocs/proj/en/hardened/selinux-faq.xml |
9 |
|
10 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux-faq.xml?rev=1.12&view=markup |
11 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux-faq.xml?rev=1.12&content-type=text/plain |
12 |
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/selinux-faq.xml?r1=1.11&r2=1.12 |
13 |
|
14 |
Index: selinux-faq.xml |
15 |
=================================================================== |
16 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux-faq.xml,v |
17 |
retrieving revision 1.11 |
18 |
retrieving revision 1.12 |
19 |
diff -u -r1.11 -r1.12 |
20 |
--- selinux-faq.xml 10 Dec 2011 15:18:56 -0000 1.11 |
21 |
+++ selinux-faq.xml 11 Dec 2011 13:53:22 -0000 1.12 |
22 |
@@ -1,6 +1,6 @@ |
23 |
<?xml version="1.0" encoding="UTF-8"?> |
24 |
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
25 |
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux-faq.xml,v 1.11 2011/12/10 15:18:56 swift Exp $ --> |
26 |
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/selinux-faq.xml,v 1.12 2011/12/11 13:53:22 swift Exp $ --> |
27 |
|
28 |
<guide> |
29 |
<title>Gentoo Hardened SELinux Frequently Asked Questions</title> |
30 |
@@ -17,8 +17,8 @@ |
31 |
elsewhere |
32 |
</abstract> |
33 |
|
34 |
-<version>17</version> |
35 |
-<date>2011-10-25</date> |
36 |
+<version>18</version> |
37 |
+<date>2011-12-10</date> |
38 |
|
39 |
<faqindex> |
40 |
<title>Questions</title> |
41 |
@@ -812,5 +812,39 @@ |
42 |
|
43 |
</body> |
44 |
</section> |
45 |
+<section id="auth-run_init"> |
46 |
+<title>Why do I always need to re-authenticate when operating init scripts?</title> |
47 |
+<body> |
48 |
+ |
49 |
+<p> |
50 |
+When you, as an administrator, wants to launch or stop daemons, these activities |
51 |
+need to be done as <c>system_u:system_r</c>. Switching to this context set is a |
52 |
+highly privileged operation (since you are effectively leaving the user context |
53 |
+and entering a system context) and hence the default setup requires the user to |
54 |
+re-authenticate. |
55 |
+</p> |
56 |
+ |
57 |
+<p> |
58 |
+You can ask not to re-authenticate if you use PAM by editing |
59 |
+<path>/etc/pam.d/run_init</path> and adding the following line on top: |
60 |
+</p> |
61 |
+ |
62 |
+<pre caption="Setup run_init pam configuration to allow root not to re-authenticate"> |
63 |
+auth sufficient pam_rootok.so |
64 |
+</pre> |
65 |
+ |
66 |
+<p> |
67 |
+With this in place, you can now prepend your init script activities with |
68 |
+<c>run_init</c> and it will not ask for your password anymore: |
69 |
+</p> |
70 |
+ |
71 |
+<pre caption="Using run_init"> |
72 |
+# <i>run_init rc-service local status</i> |
73 |
+Authenticating swift. |
74 |
+ * status: started |
75 |
+</pre> |
76 |
+ |
77 |
+</body> |
78 |
+</section> |
79 |
</chapter> |
80 |
</guide> |