[ubuntu-hardened] SELinux support in upstart
chad at thesellers.net
Sun Mar 18 13:49:09 GMT 2007
On Mar 18, 2007, at 12:44 AM, Scott James Remnant wrote:
> On Sun, 2007-03-18 at 03:39 +0000, Paul Sladen wrote:
>> On Sat, 17 Mar 2007, Chad Sellers wrote:
>>> On Mar 17, 2007, at 11:15 PM, Paul Sladen wrote:
>>>> On Sat, 17 Mar 2007, Chad Sellers wrote:
>>>>> I just checked out the status of SELinux in Ubuntu for the
>>>>> first time
>>>>> in a while by looking at Feisty Herd 5.
>>>> Chad: perhaps you could outline what support needs adding.
>>> I meant support for loading policy, similar to what sysvinit
>>> already does.
>>> SELinux policy needs to be loaded very early in the boot process
>> Currently upstart is being used in compatibility mode where it
>> simply runs
>> the existing 'sysvinit' startup scripts, so it's likely that this
>> works as expected (this would be a useful experiment to test if
>> you have a
>> working setup).
> Actually the code to load the policy in sysvinit was coded directly
> the init daemon (badly), so upstart simply doesn't support it.
Yes, this had to be put directly into sysvinit because the policy
load needed to happen a good bit before the init scripts were
invoked. Out of curiosity, what were the problems with the sysvinit
load_policy patch? Why do you consider it done badly?
> Andrew Mitchell was working on patches for upstart, but they never saw
> the light of day.
> I'd like to see SELinux supported by it, as long as it's done properly
> and not just hacked in any old way.
> For example, could the policy be loaded in the initramfs rather
> than by
This is actually how we handled policy loading several years ago (up
until late 2003). The problem with this are twofold.
1) You have to rebuild the initrd every time you change policy.
SELinux policy on most systems changes over time (just look at the
number of changes to the default SELinux policy in Fedora for an
example). You combine that with any customization that the end user
does to their system, and you end up having to recreate initrd images
very frequently. Obviously, if the initrd is going to load the policy
then the initrd has to have the policy. So, you have to rebuild the
2) Not everyone uses an initrd. We'd rather not force people to use
an initrd to use SELinux, as the two are not necessarily tied to one
> Scott James Remnant
> Ubuntu Development Manager
> scott at ubuntu.com
More information about the ubuntu-hardened