[ubuntu-hardened] SELinux support in upstart

[Paul Sladen]

On Sun, 18 Mar 2007, Chad Sellers wrote:
> On Mar 18, 2007, at 12:44 AM, Scott James Remnant wrote:
> > On Sun, 2007-03-18 at 03:39 +0000, Paul Sladen wrote:
> > For example, could the policy be loaded in the initramfs
> if the initrd is going to load the policy then the initrd has to have
> the policy. So, you have to rebuild the initrd repeatedly.

The filesystem containing /the policy/ has to be available.  What I would
imagine is that the loader script is dropped into the initramfs so that
execution of the loader occurs between '/' being located + mounted and
*before* '/sbin/init' is executed.

In this case, you'd have "apt-get install selinux" install something like:

  /usr/share/initramfs-tools/scripts/init-bottom/selinux

and once this 'initramfs' is rebuilt, then the 'selinux' loader file will be
executed on next boot.  As the root-filesystem is now available, the loader
can find the policy files there ('/etc/security/*'?). This is still before
'init' ('upstart') has been handed control.

The actual policy files would continue to remain where they do
currently.  The only time that the initramfs would be regenerated is when a
new version of SELinux is released---and the regeneration being automatic on
installation of the new package.

> Not everyone uses an initrd.

Everyone these days /does/ use initramfs :)  Some just use initramfs
more than others!

In the case where somebody is attempting to use 'upstart' with a legacy
setup if may be possible to have a "start on startup" event file and have
the runlevel scripts ask not to be loaded "until security-policy".

I think though that SELinux is attempting to do things "before the system is
started", in which case a far better place for SELinux to be doing its magic
is the sort of "management mode" environment that initramfs provides.

	-Paul
-- 
Why do one side of a triangle when you can do all three.   Nottingham, GB