[ubuntu-hardened] SELinux support in upstart

Matthias Urlichs smurf at smurf.noris.de
Mon Mar 19 07:59:31 GMT 2007


Chad Sellers:
> > I think though that SELinux is attempting to do things "before the  
> > system is started", in which case a far better place for SELinux to
> > be doing  its magic is the sort of "management mode" environment
> > that initramfs provides.
> That makes sense. I know the Red Hat guys had additional reasons for  
> doing this in init (see http://marc.info/? 
> l=selinux&m=106554815132096&w=2 for more info), but you guys may not  
> care about those reasons.
Better: those reasons no longer apply. They boil down to
- hacking initrd is a support nightmare
  - well, initramfs is *way* more modular
- some firmware / boot loaders do not support initrd
  - you can now simply append the initramfs to your kernel image
    (IIRC; some minor magic may be required?)
- you need to exec the real init in order to change security contexts
  - well, we do that anyway

=> no (known) problems with going for the initramfs solution — and
incidentally totally orthogonal to whether upstart or a non-selinux-
enabled sysvinit is used, thus off-topic for this list.  ;-)

Matthias Urlichs   |   {M:U} IT Design @ m-u-it.de   |  smurf at smurf.noris.de
Disclaimer: The quote was selected randomly. Really. | http://smurf.noris.de
 - -
Nothing succeeds like success.
		-- Alexandre Dumas

More information about the upstart-devel mailing list