[ubuntu-hardened] SELinux support in upstart
Stephen Carpenter, KSC
sjc at carpanet.net
Mon Mar 26 22:14:44 BST 2007
On Mon, Mar 26, 2007 at 02:53:57PM -0400, Chad Sellers wrote:
> On Mar 19, 2007, at 5:49 PM, Andrew Mitchell wrote:
>
> > On Sun, Mar 18, 2007 at 10:15:25PM +0000, Scott James Remnant wrote:
> >> On Sun, 2007-03-18 at 09:49 -0400, Chad Sellers wrote:
> >>
> >>> On Mar 18, 2007, at 12:44 AM, Scott James Remnant wrote:
> >>>> Actually the code to load the policy in sysvinit was coded directly
> >>>> into
> >>>> the init daemon (badly), so upstart simply doesn't support it.
> >>>>
> >>> Yes, this had to be put directly into sysvinit because the policy
> >>> load needed to happen a good bit before the init scripts were
> >>> invoked. Out of curiosity, what were the problems with the sysvinit
> >>> load_policy patch? Why do you consider it done badly?
> >>>
> >> It had bad behaviours (error messages, etc.) when SELinux wasn't
> >> supported by the operating system, and it was literally a large patch
> >> dropped into the middle of the existing code without even
> >> conforming to
> >> the coding style around it.
> >>
> >> It also forced several other things in init, such as mounting /
> >> proc and
> >> the selinuxfs filesystem -- both of which shouldn't be built in.
> >>
> > The equivalent behaviour was needed for upstart, and it was just ugly.
> > To get init into the right security context, it needed to re-exec
> > after
> > loading the policy, so that domain transitions would happen properly.
> > This is still an issue with using initramfs.
> >
> Why is this still an issue for initramfs? Doesn't the pseudo-init
> within the initramfs end up executing the real init (upstart) after
> loading policy, causing this which puts the real init in the right
> context?
Thats how I have it set up:
=====
LABEL USER PID %CPU %MEM VSZ RSS
TTY S
system_u:system_r:init_t root 1 0.0 0.2 1568 532 ?
S
=====
Looks like you are correct as far as I can tell.
-Steve
--
Warning: This line and the ones after it was randomly selected from
a database of possible Signatures. Do not adjust your screen.
More information about the upstart-devel
mailing list