[ubuntu-hardened] SELinux support in upstart

Chad Sellers chad at thesellers.net
Sun Mar 18 22:26:43 GMT 2007


On Mar 18, 2007, at 10:59 AM, Paul Sladen wrote:

> On Sun, 18 Mar 2007, Chad Sellers wrote:
>> On Mar 18, 2007, at 12:44 AM, Scott James Remnant wrote:
>>> On Sun, 2007-03-18 at 03:39 +0000, Paul Sladen wrote:
>>> For example, could the policy be loaded in the initramfs
>> if the initrd is going to load the policy then the initrd has to have
>> the policy. So, you have to rebuild the initrd repeatedly.
>
> The filesystem containing /the policy/ has to be available.  What I  
> would
> imagine is that the loader script is dropped into the initramfs so  
> that
> execution of the loader occurs between '/' being located + mounted and
> *before* '/sbin/init' is executed.
>
> In this case, you'd have "apt-get install selinux" install  
> something like:
>
>   /usr/share/initramfs-tools/scripts/init-bottom/selinux
>
> and once this 'initramfs' is rebuilt, then the 'selinux' loader  
> file will be
> executed on next boot.  As the root-filesystem is now available,  
> the loader
> can find the policy files there ('/etc/security/*'?). This is still  
> before
> 'init' ('upstart') has been handed control.
>
> The actual policy files would continue to remain where they do
> currently.  The only time that the initramfs would be regenerated  
> is when a
> new version of SELinux is released---and the regeneration being  
> automatic on
> installation of the new package.
>
That could work. BTW, It's /etc/selinux/*.


>> Not everyone uses an initrd.
>
> Everyone these days /does/ use initramfs :)  Some just use initramfs
> more than others!
>
> In the case where somebody is attempting to use 'upstart' with a  
> legacy
> setup if may be possible to have a "start on startup" event file  
> and have
> the runlevel scripts ask not to be loaded "until security-policy".
>
That's fine. We'd just want to make sure this behavior is well- 
documented.

> I think though that SELinux is attempting to do things "before the  
> system is
> started", in which case a far better place for SELinux to be doing  
> its magic
> is the sort of "management mode" environment that initramfs provides.
>
That makes sense. I know the Red Hat guys had additional reasons for  
doing this in init (see http://marc.info/? 
l=selinux&m=106554815132096&w=2 for more info), but you guys may not  
care about those reasons.

Chad

> 	-Paul
> -- 
> Why do one side of a triangle when you can do all three.    
> Nottingham, GB
>




More information about the ubuntu-hardened mailing list