[ubuntu-hardened] SELinux support in upstart

Andrew Mitchell ajmitch at ubuntu.com
Mon Mar 19 21:49:46 GMT 2007

On Sun, Mar 18, 2007 at 10:15:25PM +0000, Scott James Remnant wrote:
> On Sun, 2007-03-18 at 09:49 -0400, Chad Sellers wrote:
> > On Mar 18, 2007, at 12:44 AM, Scott James Remnant wrote:
> > > Actually the code to load the policy in sysvinit was coded directly  
> > > into
> > > the init daemon (badly), so upstart simply doesn't support it.
> > >
> > Yes, this had to be put directly into sysvinit because the policy  
> > load needed to happen a good bit before the init scripts were  
> > invoked. Out of curiosity, what were the problems with the sysvinit  
> > load_policy patch? Why do you consider it done badly?
> > 
> It had bad behaviours (error messages, etc.) when SELinux wasn't
> supported by the operating system, and it was literally a large patch
> dropped into the middle of the existing code without even conforming to
> the coding style around it.
> It also forced several other things in init, such as mounting /proc and
> the selinuxfs filesystem -- both of which shouldn't be built in.
The equivalent behaviour was needed for upstart, and it was just ugly.
To get init into the right security context, it needed to re-exec after
loading the policy, so that domain transitions would happen properly.
This is still an issue with using initramfs.

> > > Andrew Mitchell was working on patches for upstart, but they never saw
> > > the light of day.
> > >
> > > I'd like to see SELinux supported by it, as long as it's done properly
> > > and not just hacked in any old way.
> > >
> > > For example, could the policy be loaded in the initramfs rather  
> > > than by
> > > init?
> > >
> > This is actually how we handled policy loading several years ago (up  
> > until late 2003). The problem with this are twofold.
> > 1) You have to rebuild the initrd every time you change policy
> > 
> Not true.  Just load the policy once the root filesystem has been
> mounted.
> > 2) Not everyone uses an initrd. We'd rather not force people to use  
> > an initrd to use SELinux, as the two are not necessarily tied to one  
> > another.
> > 
> Everyone that uses Upstart has an initramfs, because all kernel versions
> supported by Upstart have a minimum one that includes /dev/console at
> the least.
> As we move more towards kinit as well, it's likely that modern systems
> will have quite a substantial initramfs.
> Scott

Using an initramfs is definitely preferable, as more things run in there
now that should run with a policy loaded, so that they get the right
labels on files created, for example. If there's a good way to re-exec
or change the security context on a running process in the initramfs,
I'd like to hear it so that upstart doesn't need to care about selinux

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20070320/c7a57570/attachment.pgp 

More information about the ubuntu-hardened mailing list