[ubuntu-hardened] SELinux support in upstart
Chad Sellers
chad at thesellers.net
Sun Mar 18 22:26:43 GMT 2007
On Mar 18, 2007, at 10:59 AM, Paul Sladen wrote:
> On Sun, 18 Mar 2007, Chad Sellers wrote:
>> On Mar 18, 2007, at 12:44 AM, Scott James Remnant wrote:
>>> On Sun, 2007-03-18 at 03:39 +0000, Paul Sladen wrote:
>>> For example, could the policy be loaded in the initramfs
>> if the initrd is going to load the policy then the initrd has to have
>> the policy. So, you have to rebuild the initrd repeatedly.
>
> The filesystem containing /the policy/ has to be available. What I
> would
> imagine is that the loader script is dropped into the initramfs so
> that
> execution of the loader occurs between '/' being located + mounted and
> *before* '/sbin/init' is executed.
>
> In this case, you'd have "apt-get install selinux" install
> something like:
>
> /usr/share/initramfs-tools/scripts/init-bottom/selinux
>
> and once this 'initramfs' is rebuilt, then the 'selinux' loader
> file will be
> executed on next boot. As the root-filesystem is now available,
> the loader
> can find the policy files there ('/etc/security/*'?). This is still
> before
> 'init' ('upstart') has been handed control.
>
> The actual policy files would continue to remain where they do
> currently. The only time that the initramfs would be regenerated
> is when a
> new version of SELinux is released---and the regeneration being
> automatic on
> installation of the new package.
>
That could work. BTW, It's /etc/selinux/*.
>> Not everyone uses an initrd.
>
> Everyone these days /does/ use initramfs :) Some just use initramfs
> more than others!
>
> In the case where somebody is attempting to use 'upstart' with a
> legacy
> setup if may be possible to have a "start on startup" event file
> and have
> the runlevel scripts ask not to be loaded "until security-policy".
>
That's fine. We'd just want to make sure this behavior is well-
documented.
> I think though that SELinux is attempting to do things "before the
> system is
> started", in which case a far better place for SELinux to be doing
> its magic
> is the sort of "management mode" environment that initramfs provides.
>
That makes sense. I know the Red Hat guys had additional reasons for
doing this in init (see http://marc.info/?
l=selinux&m=106554815132096&w=2 for more info), but you guys may not
care about those reasons.
Chad
> -Paul
> --
> Why do one side of a triangle when you can do all three.
> Nottingham, GB
>
More information about the ubuntu-hardened
mailing list