[ubuntu-hardened] SELinux support in upstart

Scott James Remnant scott at ubuntu.com
Sun Mar 18 22:15:25 GMT 2007 

On Sun, 2007-03-18 at 09:49 -0400, Chad Sellers wrote:

> On Mar 18, 2007, at 12:44 AM, Scott James Remnant wrote:
> > Actually the code to load the policy in sysvinit was coded directly  
> > into
> > the init daemon (badly), so upstart simply doesn't support it.
> >
> Yes, this had to be put directly into sysvinit because the policy  
> load needed to happen a good bit before the init scripts were  
> invoked. Out of curiosity, what were the problems with the sysvinit  
> load_policy patch? Why do you consider it done badly?
> 
It had bad behaviours (error messages, etc.) when SELinux wasn't
supported by the operating system, and it was literally a large patch
dropped into the middle of the existing code without even conforming to
the coding style around it.

It also forced several other things in init, such as mounting /proc and
the selinuxfs filesystem -- both of which shouldn't be built in.

> > Andrew Mitchell was working on patches for upstart, but they never saw
> > the light of day.
> >
> > I'd like to see SELinux supported by it, as long as it's done properly
> > and not just hacked in any old way.
> >
> > For example, could the policy be loaded in the initramfs rather  
> > than by
> > init?
> >
> This is actually how we handled policy loading several years ago (up  
> until late 2003). The problem with this are twofold.
> 1) You have to rebuild the initrd every time you change policy
> 
Not true.  Just load the policy once the root filesystem has been
mounted.

> 2) Not everyone uses an initrd. We'd rather not force people to use  
> an initrd to use SELinux, as the two are not necessarily tied to one  
> another.
> 
Everyone that uses Upstart has an initramfs, because all kernel versions
supported by Upstart have a minimum one that includes /dev/console at
the least.

As we move more towards kinit as well, it's likely that modern systems
will have quite a substantial initramfs.

Scott
-- 
Scott James Remnant
Ubuntu Development Manager
scott at ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/upstart-devel/attachments/20070318/d6332260/attachment.pgp

More information about the upstart-devel mailing list