On Monday 17 May 2010 09:32:15 am Konstantin Ryabitsev wrote: Yep. No, because that would allow the audit system to be attacked so that it misrepresents who actually did something. This would be on the short list of things to do like cleaning up logs after successfully compromising a system. What I would really like to see is daemons not being started directly. Meaning that when you run "service httpd restart", this would tell init to restart httpd so that httpd does not inherit anything in the admin's environment. This would clean up SE Linux rules a bit too since there wouldn't be a need to transition from the admin's context to the daemon's. The path would always be admin->init->daemon. Of course starting up a service in this way should be an auditable event, too. No so much advice as just an understanding of why its this way. I won't have time to look into upstart any time soon, but it would be nice if someone else did some digging into this and perhaps even fix it for everyone. -Steve