[ubuntu-hardened] SELinux support in upstart
Alex Smith
alex at alex-smith.me.uk
Sun Mar 18 07:28:33 GMT 2007
Scott James Remnant wrote:
> On Sun, 2007-03-18 at 03:39 +0000, Paul Sladen wrote:
>
>> On Sat, 17 Mar 2007, Chad Sellers wrote:
>>> On Mar 17, 2007, at 11:15 PM, Paul Sladen wrote:
>>>> On Sat, 17 Mar 2007, Chad Sellers wrote:
>>>>> I just checked out the status of SELinux in Ubuntu for the first time
>>>>> in a while by looking at Feisty Herd 5.
>>>> Chad: perhaps you could outline what support needs adding.
>>> I meant support for loading policy, similar to what sysvinit already does.
>>> SELinux policy needs to be loaded very early in the boot process
>> Currently upstart is being used in compatibility mode where it simply runs
>> the existing 'sysvinit' startup scripts, so it's likely that this still
>> works as expected (this would be a useful experiment to test if you have a
>> working setup).
>>
> Actually the code to load the policy in sysvinit was coded directly into
> the init daemon (badly), so upstart simply doesn't support it.
>
> Andrew Mitchell was working on patches for upstart, but they never saw
> the light of day.
>
> I'd like to see SELinux supported by it, as long as it's done properly
> and not just hacked in any old way.
>
> For example, could the policy be loaded in the initramfs rather than by
> init?
This would be problematic for distros that don't use an initramfs. Would
it be sensible to have the policy loaded in a job with 'start on
startup', i.e. the first job that runs? Or does it have to be loaded
before anything runs?
Thanks,
Alex
--
Alex Smith
Frugalware Linux developer - http://www.frugalware.org
More information about the upstart-devel
mailing list