[ubuntu-hardened] SELinux support in upstart

Andrew Mitchell ajmitch at ubuntu.com
Mon Mar 19 21:49:46 GMT 2007 

On Sun, Mar 18, 2007 at 10:15:25PM +0000, Scott James Remnant wrote:
> On Sun, 2007-03-18 at 09:49 -0400, Chad Sellers wrote:
> 
> > On Mar 18, 2007, at 12:44 AM, Scott James Remnant wrote:
> > > Actually the code to load the policy in sysvinit was coded directly  
> > > into
> > > the init daemon (badly), so upstart simply doesn't support it.
> > >
> > Yes, this had to be put directly into sysvinit because the policy  
> > load needed to happen a good bit before the init scripts were  
> > invoked. Out of curiosity, what were the problems with the sysvinit  
> > load_policy patch? Why do you consider it done badly?
> > 
> It had bad behaviours (error messages, etc.) when SELinux wasn't
> supported by the operating system, and it was literally a large patch
> dropped into the middle of the existing code without even conforming to
> the coding style around it.
> 
> It also forced several other things in init, such as mounting /proc and
> the selinuxfs filesystem -- both of which shouldn't be built in.
> 
The equivalent behaviour was needed for upstart, and it was just ugly.
To get init into the right security context, it needed to re-exec after
loading the policy, so that domain transitions would happen properly.
This is still an issue with using initramfs.

> > > Andrew Mitchell was working on patches for upstart, but they never saw
> > > the light of day.
> > >
> > > I'd like to see SELinux supported by it, as long as it's done properly
> > > and not just hacked in any old way.
> > >
> > > For example, could the policy be loaded in the initramfs rather  
> > > than by
> > > init?
> > >
> > This is actually how we handled policy loading several years ago (up  
> > until late 2003). The problem with this are twofold.
> > 1) You have to rebuild the initrd every time you change policy
> > 
> Not true.  Just load the policy once the root filesystem has been
> mounted.
> 
> > 2) Not everyone uses an initrd. We'd rather not force people to use  
> > an initrd to use SELinux, as the two are not necessarily tied to one  
> > another.
> > 
> Everyone that uses Upstart has an initramfs, because all kernel versions
> supported by Upstart have a minimum one that includes /dev/console at
> the least.
> 
> As we move more towards kinit as well, it's likely that modern systems
> will have quite a substantial initramfs.
> 
> Scott

Using an initramfs is definitely preferable, as more things run in there
now that should run with a policy loaded, so that they get the right
labels on files created, for example. If there's a good way to re-exec
or change the security context on a running process in the initramfs,
I'd like to hear it so that upstart doesn't need to care about selinux
support.

Thanks,
Andrew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/upstart-devel/attachments/20070320/c7a57570/attachment.pgp

More information about the upstart-devel mailing list