http://etbe.coker.com.au/2008/07/24/se-linux-policy-loading/ Firstly above is the URL for the blog post in question, for the benefit of people who don't normally read Planet SE Linux. On Friday 25 July 2008 12:08, Stephen Smalley <stephen.smalley@xxxxxxxxx> wrote: > I saw your blog entry about policy loading on planet selinux - you ought > to bring issues like that up on selinux list for discussion rather than > just blogging about them. If I had realised what was going on before the release of Fedora 9 I would have. But it seems that the Red Hat people have made their decision, so the decisions about what to do for Debian and Ubuntu have to be made separately. > First, to clarify, while Ubuntu and Fedora are initiating the policy > load from the initramfs, they are taking the policy from the real root > filesystem. Thus, the policy is not being stored on the initramfs image > and updates to policy do not require rebuilding the image. I have been told that an Ubuntu initramfs generated for a non-SE system will not have the scripts in question installed. So there is a need to regenerate the initramfs when converting to SE Linux. > On the positive side, the initramfs-based approach does mean > that /sbin/init from the real root automatically transitions into the > right domain since policy is already loaded. Saving one exec system call. > And policy gets loaded no > matter what init is used or even if the user specifies an alternate > init= program on the kernel command line. As I noted in my blog post there are not many init programs. Only two are commonly used, and one of them has the patch well supported for a long time. Deciding to patch two vastly different initramfs systems instead of one init system (which is very similar the other one) was never going to reduce pain. > As you note, performing the load from initramfs can be problematic for > systems that cannot or choose not to use an initramfs, Not problematic, a major show-stopper! > So I'm not fundamentally opposed to having the support in /sbin/init as > well if that's feasible, but you'll need it to detect whether policy has > already been loaded and skip it if so or it will end up loading policy > twice on systems that are using the initramfs-based approach. Caleb has suggested having the already patched SysV init for systems that can't use initramfs. That means such detection would be required in that case. -- russell@xxxxxxxxxxxx http://etbe.coker.com.au/ My Blog http://www.coker.com.au/sponsorship.html Sponsoring Free Software development -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
