[ubuntu-hardened] SELinux support in upstart
Matthias Urlichs
smurf at smurf.noris.de
Mon Mar 19 07:59:31 GMT 2007
Hi,
Chad Sellers:
> > I think though that SELinux is attempting to do things "before the
> > system is started", in which case a far better place for SELinux to
> > be doing its magic is the sort of "management mode" environment
> > that initramfs provides.
>
> That makes sense. I know the Red Hat guys had additional reasons for
> doing this in init (see http://marc.info/?
> l=selinux&m=106554815132096&w=2 for more info), but you guys may not
> care about those reasons.
>
Better: those reasons no longer apply. They boil down to
- hacking initrd is a support nightmare
- well, initramfs is *way* more modular
- some firmware / boot loaders do not support initrd
- you can now simply append the initramfs to your kernel image
(IIRC; some minor magic may be required?)
- you need to exec the real init in order to change security contexts
- well, we do that anyway
=> no (known) problems with going for the initramfs solution — and
incidentally totally orthogonal to whether upstart or a non-selinux-
enabled sysvinit is used, thus off-topic for this list. ;-)
--
Matthias Urlichs | {M:U} IT Design @ m-u-it.de | smurf at smurf.noris.de
Disclaimer: The quote was selected randomly. Really. | http://smurf.noris.de
- -
Nothing succeeds like success.
-- Alexandre Dumas
More information about the upstart-devel
mailing list