[ubuntu-hardened] SELinux support in upstart
Scott James Remnant
scott at ubuntu.com
Sun Mar 18 11:44:51 GMT 2007
On Sun, 2007-03-18 at 07:28 +0000, Alex Smith wrote:
> This would be problematic for distros that don't use an initramfs.
>
All distros with a kernel supported by Upstart use an initramfs, it just
often contains nothing but the /dev/console that init gets passed.
Once the kernel developers stop arguing about kinit, it's hopefully
going to go in the direction that the kernel's namespace preparation
will be entirely outsourced to the initramfs and probably most people
will handle it by placing kinit there.
I don't think it's unreasonable to load the SELinux policy there, if it
is something that applies to the entire system, and is never changed.
Alternately perhaps the SELinux policy should apply on a per-service
level? Would being able to load alternate policies for different tasks
or services be useful? In that case Upstart could do it in
process_spawn().
> Would it be sensible to have the policy loaded in a job with 'start on
> startup', i.e. the first job that runs? Or does it have to be loaded
> before anything runs?
>
No, since many other jobs would be run simultaneously.
Scott
--
Scott James Remnant
Ubuntu Development Manager
scott at ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/upstart-devel/attachments/20070318/2f6e6231/attachment.pgp
More information about the upstart-devel
mailing list