[ubuntu-hardened] SELinux support in upstart

Tue Mar 20 11:56:46 GMT 2007

On Tue, 2007-03-20 at 09:49 +1200, Andrew Mitchell wrote:

> On Sun, Mar 18, 2007 at 10:15:25PM +0000, Scott James Remnant wrote:
> > On Sun, 2007-03-18 at 09:49 -0400, Chad Sellers wrote:
> > 
> > > On Mar 18, 2007, at 12:44 AM, Scott James Remnant wrote:
> > > > Actually the code to load the policy in sysvinit was coded directly  
> > > > into
> > > > the init daemon (badly), so upstart simply doesn't support it.
> > > >
> > > Yes, this had to be put directly into sysvinit because the policy  
> > > load needed to happen a good bit before the init scripts were  
> > > invoked. Out of curiosity, what were the problems with the sysvinit  
> > > load_policy patch? Why do you consider it done badly?
> > > 
> > It had bad behaviours (error messages, etc.) when SELinux wasn't
> > supported by the operating system, and it was literally a large patch
> > dropped into the middle of the existing code without even conforming to
> > the coding style around it.
> > 
> > It also forced several other things in init, such as mounting /proc and
> > the selinuxfs filesystem -- both of which shouldn't be built in.
> > 
> The equivalent behaviour was needed for upstart, and it was just ugly.
> To get init into the right security context, it needed to re-exec after
> loading the policy, so that domain transitions would happen properly.
> This is still an issue with using initramfs.
> 
The last thing initramfs does is re-exec the real /sbin/init anyway,
wouldn't this apply the right context to it, and thus solve the problem.

Scott
-- 
Have you ever, ever felt like this?
Had strange things happen?  Are you going round the twist?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/upstart-devel/attachments/20070320/f415c71c/attachment-0001.pgp