[ubuntu-hardened] SELinux support in upstart

Matthias Urlichs smurf at smurf.noris.de
Mon Mar 19 22:14:54 GMT 2007


Andrew Mitchell:
> > 
> The equivalent behaviour was needed for upstart, and it was just ugly.
> To get init into the right security context, it needed to re-exec after
> loading the policy, so that domain transitions would happen properly.
> This is still an issue with using initramfs.
Hmm. Forgive me if I'm wrong, but IIRC what should happen is
- "something" loads the selinux rules into the kernel,
- one of these rules says that exec()ing /sbin/init from kernel_t context
  results in the new process running in init_t context,
- the initramdisk init exec()s the real /sbin/init, which makes
  everybody happy.

Now, assuming that that "something" can be "any process running in
kernel context", there does not seem to be any problem here.

... and if I had enough free time, which I don't, I'd go and actually
check that theory before mailing. :-/

Matthias Urlichs   |   {M:U} IT Design @ m-u-it.de   |  smurf at smurf.noris.de
Disclaimer: The quote was selected randomly. Really. | http://smurf.noris.de
 - -
Word Processor:
	Software that magically transforms its user into a professional author.

More information about the upstart-devel mailing list