How-to, SELinux+Upstart
nnm
nnm.one at gmail.com
Sat Jul 7 05:14:48 BST 2007
Hi
I was looking around on the initramfs to try to understand how you will load
the policy at that point in the boot process, using the
selinux_init_load_policy() from libselinux would be ideal since it does
everything for you, but you would have to boot without the 'ro' flag
otherwise it wont be able to write to syslog, or rewrite code that already
exists in libselinux? or load the libraries and shared objects onto
initramfs for the executable? Could you please clarify to me how this would
be done from initramfs?
Also when running this pre-init executable, after a successful policy load
and a relabel, init which replaces the pre-init will have the context
system_u:system_r:init_t , so it get's into the right context, though it
will show as '/sbin/pre-init' in 'ps Zaux'.
Updated this pre-init for those who want to try it :
#include <unistd.h>
#include <selinux/selinux.h>
#include <stdio.h>
int main(int argc, char *argv[]) {
int enforce = 0;
if ( ! getenv("SELINUX_INIT") ) {
putenv( "SELINUX_INIT=YES" );
if( selinux_init_load_policy(&enforce) == 0 ) {
printf("SELinux: Policy loaded successfully.");
execv("/sbin/init", argv);
} else if( enforce > 0 ) {
printf("SELinux: Enforcing mode enabled but
load_policy failed.");
}
} else {
execv("/sbin/init", argv);
}
return 0;
}
-----------
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/upstart-devel/attachments/20070707/69d88a7e/attachment.htm
More information about the upstart-devel
mailing list