[ubuntu-hardened] SELinux support in upstart

Stephen Carpenter, KSC sjc at carpanet.net
Mon Mar 26 22:14:44 BST 2007


On Mon, Mar 26, 2007 at 02:53:57PM -0400, Chad Sellers wrote:
> On Mar 19, 2007, at 5:49 PM, Andrew Mitchell wrote:
> 
> > On Sun, Mar 18, 2007 at 10:15:25PM +0000, Scott James Remnant wrote:
> >> On Sun, 2007-03-18 at 09:49 -0400, Chad Sellers wrote:
> >>
> >>> On Mar 18, 2007, at 12:44 AM, Scott James Remnant wrote:
> >>>> Actually the code to load the policy in sysvinit was coded directly
> >>>> into
> >>>> the init daemon (badly), so upstart simply doesn't support it.
> >>>>
> >>> Yes, this had to be put directly into sysvinit because the policy
> >>> load needed to happen a good bit before the init scripts were
> >>> invoked. Out of curiosity, what were the problems with the sysvinit
> >>> load_policy patch? Why do you consider it done badly?
> >>>
> >> It had bad behaviours (error messages, etc.) when SELinux wasn't
> >> supported by the operating system, and it was literally a large patch
> >> dropped into the middle of the existing code without even  
> >> conforming to
> >> the coding style around it.
> >>
> >> It also forced several other things in init, such as mounting / 
> >> proc and
> >> the selinuxfs filesystem -- both of which shouldn't be built in.
> >>
> > The equivalent behaviour was needed for upstart, and it was just ugly.
> > To get init into the right security context, it needed to re-exec  
> > after
> > loading the policy, so that domain transitions would happen properly.
> > This is still an issue with using initramfs.
> >
> Why is this still an issue for initramfs? Doesn't the pseudo-init  
> within the initramfs end up executing the real init (upstart) after  
> loading policy, causing this which puts the real init in the right  
> context?

Thats how I have it set up:
=====
LABEL                           USER       PID %CPU %MEM    VSZ   RSS
TTY      S
system_u:system_r:init_t        root         1  0.0  0.2   1568   532 ?
S
=====

Looks like you are correct as far as I can tell.

-Steve
-- 
Warning: This line and the ones after it was randomly selected from
a database of possible Signatures. Do not adjust your screen.



More information about the upstart-devel mailing list