[RFC] change policy loading to initramfs
Daniel J Walsh
dwalsh at redhat.com
Thu Jan 24 15:34:16 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Stephen Smalley wrote:
> On Wed, 2008-01-23 at 17:29 -0500, Bill Nottingham wrote:
>> We're looking to move to a different init system in Fedora - the
>> current work is going to be around upstart, most likely. upstart
>> does not have native code for loading the SELinux policy.
>>
>> We could modify every possible init to load the policy... but
>> that would be painful. So we might as well move to having the
>> policy loaded from the initramfs. The attached patches are the
>> first quick cut at doing that.
>>
>> The main patch is for mkinitrd/nash; there's a short patch for the
>> current init, as it will abort if policy is already loaded. We
>> can't actually remove the code from init to load the policy, as
>> there will always be older initramfses.
>>
>> Comments? Ideas for different ways to do this? It's sort of ugly
>> with fork and chroot(), but to avoid that we'd have to reimplement
>> most, if not all, of libselinux's policy loading code directly.
>
> Hmm...Chad Sellers was working on similar support for Ubuntu, but did it
> by adding a -i option to the load_policy program to perform an initial
> policy load so that you can just execute it from a script rather than
> requiring a direct patch to nash or anything else. cc'ing him. The
> load_policy -i support is upstream and should be in Fedora devel /
> rawhide too.
>
>> Bill
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
load_policy -i is available in rawhide
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkeYr/gACgkQrlYvE4MpobN3QwCfd0uwUYidaa2vtko9hj6swa9e
zeQAoN4kFHUtrS0wkUNDEOLuwcu0gfOd
=wCNH
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list