[ubuntu-hardened] SELinux support in upstart

Chad Sellers chad at thesellers.net
Sun Mar 18 13:49:09 GMT 2007

On Mar 18, 2007, at 12:44 AM, Scott James Remnant wrote:

> On Sun, 2007-03-18 at 03:39 +0000, Paul Sladen wrote:
>> On Sat, 17 Mar 2007, Chad Sellers wrote:
>>> On Mar 17, 2007, at 11:15 PM, Paul Sladen wrote:
>>>> On Sat, 17 Mar 2007, Chad Sellers wrote:
>>>>> I just checked out the status of SELinux in Ubuntu for the  
>>>>> first time
>>>>> in a while by looking at Feisty Herd 5.
>>>> Chad: perhaps you could outline what support needs adding.
>>> I meant support for loading policy, similar to what sysvinit  
>>> already does.
>>> SELinux policy needs to be loaded very early in the boot process
>> Currently upstart is being used in compatibility mode where it  
>> simply runs
>> the existing 'sysvinit' startup scripts, so it's likely that this  
>> still
>> works as expected (this would be a useful experiment to test if  
>> you have a
>> working setup).
> Actually the code to load the policy in sysvinit was coded directly  
> into
> the init daemon (badly), so upstart simply doesn't support it.
Yes, this had to be put directly into sysvinit because the policy  
load needed to happen a good bit before the init scripts were  
invoked. Out of curiosity, what were the problems with the sysvinit  
load_policy patch? Why do you consider it done badly?

> Andrew Mitchell was working on patches for upstart, but they never saw
> the light of day.
> I'd like to see SELinux supported by it, as long as it's done properly
> and not just hacked in any old way.
> For example, could the policy be loaded in the initramfs rather  
> than by
> init?
This is actually how we handled policy loading several years ago (up  
until late 2003). The problem with this are twofold.
1) You have to rebuild the initrd every time you change policy.  
SELinux policy on most systems changes over time (just look at the  
number of changes to the default SELinux policy in Fedora for an  
example). You combine that with any customization that the end user  
does to their system, and you end up having to recreate initrd images  
very frequently. Obviously, if the initrd is going to load the policy  
then the initrd has to have the policy. So, you have to rebuild the  
initrd repeatedly.
2) Not everyone uses an initrd. We'd rather not force people to use  
an initrd to use SELinux, as the two are not necessarily tied to one  

Chad Sellers

> Scott
> -- 
> Scott James Remnant
> Ubuntu Development Manager
> scott at ubuntu.com

More information about the ubuntu-hardened mailing list