-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bill Nottingham wrote: > We're looking to move to a different init system in Fedora - the > current work is going to be around upstart, most likely. upstart > does not have native code for loading the SELinux policy. > > We could modify every possible init to load the policy... but > that would be painful. So we might as well move to having the > policy loaded from the initramfs. The attached patches are the > first quick cut at doing that. > > The main patch is for mkinitrd/nash; there's a short patch for the > current init, as it will abort if policy is already loaded. We > can't actually remove the code from init to load the policy, as > there will always be older initramfses. > > Comments? Ideas for different ways to do this? It's sort of ugly > with fork and chroot(), but to avoid that we'd have to reimplement > most, if not all, of libselinux's policy loading code directly. > > Bill > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list We also have to worry about transitions. init_t -> initrc_t -> httpd_t If an init program (initng) does not do a fork/exec of the initrc_t script then transitions will not work properly. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkeYsE4ACgkQrlYvE4MpobMGWACdEY83lBoOFrZOlrZ11gIPy5BK zB8AnRx6jJKOuleoAAyfQNqaYvkKPb6Z =o9RX -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
