[ubuntu-hardened] SELinux support in upstart

Chad Sellers chad at thesellers.net
Mon Mar 26 19:53:57 BST 2007

On Mar 19, 2007, at 5:49 PM, Andrew Mitchell wrote:

> On Sun, Mar 18, 2007 at 10:15:25PM +0000, Scott James Remnant wrote:
>> On Sun, 2007-03-18 at 09:49 -0400, Chad Sellers wrote:
>>> On Mar 18, 2007, at 12:44 AM, Scott James Remnant wrote:
>>>> Actually the code to load the policy in sysvinit was coded directly
>>>> into
>>>> the init daemon (badly), so upstart simply doesn't support it.
>>> Yes, this had to be put directly into sysvinit because the policy
>>> load needed to happen a good bit before the init scripts were
>>> invoked. Out of curiosity, what were the problems with the sysvinit
>>> load_policy patch? Why do you consider it done badly?
>> It had bad behaviours (error messages, etc.) when SELinux wasn't
>> supported by the operating system, and it was literally a large patch
>> dropped into the middle of the existing code without even  
>> conforming to
>> the coding style around it.
>> It also forced several other things in init, such as mounting / 
>> proc and
>> the selinuxfs filesystem -- both of which shouldn't be built in.
> The equivalent behaviour was needed for upstart, and it was just ugly.
> To get init into the right security context, it needed to re-exec  
> after
> loading the policy, so that domain transitions would happen properly.
> This is still an issue with using initramfs.
Why is this still an issue for initramfs? Doesn't the pseudo-init  
within the initramfs end up executing the real init (upstart) after  
loading policy, causing this which puts the real init in the right  

>>>> Andrew Mitchell was working on patches for upstart, but they  
>>>> never saw
>>>> the light of day.
>>>> I'd like to see SELinux supported by it, as long as it's done  
>>>> properly
>>>> and not just hacked in any old way.
>>>> For example, could the policy be loaded in the initramfs rather
>>>> than by
>>>> init?
>>> This is actually how we handled policy loading several years ago (up
>>> until late 2003). The problem with this are twofold.
>>> 1) You have to rebuild the initrd every time you change policy
>> Not true.  Just load the policy once the root filesystem has been
>> mounted.
>>> 2) Not everyone uses an initrd. We'd rather not force people to use
>>> an initrd to use SELinux, as the two are not necessarily tied to one
>>> another.
>> Everyone that uses Upstart has an initramfs, because all kernel  
>> versions
>> supported by Upstart have a minimum one that includes /dev/console at
>> the least.
>> As we move more towards kinit as well, it's likely that modern  
>> systems
>> will have quite a substantial initramfs.
>> Scott
> Using an initramfs is definitely preferable, as more things run in  
> there
> now that should run with a policy loaded, so that they get the right
> labels on files created, for example. If there's a good way to re-exec
> or change the security context on a running process in the initramfs,
> I'd like to hear it so that upstart doesn't need to care about selinux
> support.
> Thanks,
> Andrew
> -- 
> ubuntu-hardened mailing list
> ubuntu-hardened at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

More information about the ubuntu-hardened mailing list