diff options
| author | Bill Nottingham <notting@redhat.com> | 2010-06-29 12:53:37 -0400 |
|---|---|---|
| committer | Bill Nottingham <notting@redhat.com> | 2010-06-29 12:53:37 -0400 |
| commit | edbe224afa7d6fe5a9cfccb1b49e661d364a5a01 (patch) | |
| tree | edbe3ceefd0f06b189528d23f7881b5a785e6160 | |
| parent | cf6b7b273229021819a887c54b2a2bd76749e067 (diff) | |
| download | initscripts-edbe224afa7d6fe5a9cfccb1b49e661d364a5a01.tar initscripts-edbe224afa7d6fe5a9cfccb1b49e661d364a5a01.tar.gz initscripts-edbe224afa7d6fe5a9cfccb1b49e661d364a5a01.tar.bz2 initscripts-edbe224afa7d6fe5a9cfccb1b49e661d364a5a01.tar.xz initscripts-edbe224afa7d6fe5a9cfccb1b49e661d364a5a01.zip | |
Don't directly execute bash for single-user mode, as that has SELinux issues. (#540216, #584443, #585053)
If upstart directly runs bash for single-user mode, there's no way for
SELinux to set the proper context (to distinguish it from other init scripts).
Inserting a helper binary in the way allows for this.
While we're changing this, we make it configurable so it's easily possible
for people to use sulogin if they so desire.
| -rw-r--r-- | init/rcS-sulogin.conf | 4 | ||||
| -rwxr-xr-x | src/sushell | 5 | ||||
| -rw-r--r-- | src/sushell.8 | 16 | ||||
| -rw-r--r-- | sysconfig/init | 3 | ||||
| -rw-r--r-- | sysconfig/init.s390 | 3 |
5 files changed, 30 insertions, 1 deletions
diff --git a/init/rcS-sulogin.conf b/init/rcS-sulogin.conf index 9ce92ffa..818518de 100644 --- a/init/rcS-sulogin.conf +++ b/init/rcS-sulogin.conf @@ -9,8 +9,10 @@ stop on runlevel [!S] console owner script + . /etc/sysconfig/init plymouth --hide-splash || true - exec /bin/bash + [ -z "$SINGLE" ] && SINGLE=/sbin/sushell + exec $SINGLE end script post-stop script if [ "$RUNLEVEL" = "S" ]; then diff --git a/src/sushell b/src/sushell new file mode 100755 index 00000000..7d969416 --- /dev/null +++ b/src/sushell @@ -0,0 +1,5 @@ +#!/bin/bash + +[ -z "$SUSHELL" ] && SUSHELL=/bin/bash + +exec $SUSHELL diff --git a/src/sushell.8 b/src/sushell.8 new file mode 100644 index 00000000..9832a732 --- /dev/null +++ b/src/sushell.8 @@ -0,0 +1,16 @@ +.TH SUSHELL 8 "Red Hat, Inc" \" -*- nroff -*- +.SH NAME +sushell \- execute the single-user shell +.SH SYNOPSIS +.B sushell +.SH DESCRIPTION +.B sushell +executes the single-user shell. By default, this is +\fI/bin/bash\fP +This can be configured via the +.B SUSHELL +environment variable. +.SH NOTES +.B sushell +is an implementation detail, required for proper SELinux +usage. It is not intended to be run regularly. diff --git a/sysconfig/init b/sysconfig/init index 959c4d83..1a746088 100644 --- a/sysconfig/init +++ b/sysconfig/init @@ -23,3 +23,6 @@ PROMPT=yes AUTOSWAP=no # What ttys should gettys be started on? ACTIVE_CONSOLES=/dev/tty[1-6] +# Set to '/sbin/sulogin' to prompt for password on single-user mode +# Set to '/sbin/sushell' otherwise +SINGLE=/sbin/sushell diff --git a/sysconfig/init.s390 b/sysconfig/init.s390 index 121b38fc..fdacee05 100644 --- a/sysconfig/init.s390 +++ b/sysconfig/init.s390 @@ -21,3 +21,6 @@ LOGLEVEL=3 PROMPT=no # What ttys should gettys be started on? ACTIVE_CONSOLES=/dev/console +# Set to '/sbin/sulogin' to prompt for password on single-user mode +# Set to '/sbin/sushell' otherwise +SINGLE=/sbin/sushell |