Adding FAQ on run_init authentication

1 files changed, 36 insertions, 2 deletions

diff --git a/xml/selinux-faq.xml b/xml/selinux-faq.xml
index 09b04ab..cff0308 100644
--- a/xml/selinux-faq.xml
+++ b/xml/selinux-faq.xml
@@ -17,8 +17,8 @@ The FAQ is a collection of solutions found on IRC, mailinglist, forums or
 elsewhere
 </abstract>
 
-<version>17</version>
-<date>2011-10-25</date>
+<version>18</version>
+<date>2011-12-10</date>
 
 <faqindex>
 <title>Questions</title>
@@ -812,5 +812,39 @@ file system mounted with <c>nosuid</c>.
 
 </body>
 </section>
+<section id="auth-run_init">
+<title>Why do I always need to re-authenticate when operating init scripts?</title>
+<body>
+
+<p>
+When you, as an administrator, wants to launch or stop daemons, these activities
+need to be done as <c>system_u:system_r</c>. Switching to this context set is a
+highly privileged operation (since you are effectively leaving the user context
+and entering a system context) and hence the default setup requires the user to
+re-authenticate.
+</p>
+
+<p>
+You can ask not to re-authenticate if you use PAM by editing
+<path>/etc/pam.d/run_init</path> and adding the following line on top:
+</p>
+
+<pre caption="Setup run_init pam configuration to allow root not to re-authenticate">
+auth     sufficient     pam_rootok.so
+</pre>
+
+<p>
+With this in place, you can now prepend your init script activities with
+<c>run_init</c> and it will not ask for your password anymore:
+</p>
+
+<pre caption="Using run_init">
+# <i>run_init rc-service local status</i>
+Authenticating swift.
+ * status: started
+</pre>
+
+</body>
+</section>
 </chapter>
 </guide>