http://etbe.coker.com.au/2008/07/24/se-linux-policy-loading/
I've described the issues related to init and SE Linux at the above URL.
I've attached a patch for upstart to make it load the policy, this patch was
written over a year ago, so some minor changes may be required. But
basically the code is good.
In summary, the way SysVInit works is pretty good, it's been working well like
that for many years - we should have a reason for doing things differently,
and there is none.
The Red Hat idea of modifying the initramfs has the potential to make a system
unbootable (you know for a fact that you have a working initramfs, you don't
know that the next one you generate will work).
The Red Hat idea drops support for systems that don't have an initramfs, at
best this limits the choices available to the sysadmin (they should be
allowed to choose to compile a kernel without an initramfs and run it with SE
Linux). It also means dropping support for systems that don't support it, in
the past there was quite a bit of hardware that didn't support booting with
an initramfs. Note that commercially available Xen virtual servers tend not
to have an initramfs, so if we are ever to get Debian SE Linux support
available at VPS hosting companies then we need to have init load the policy.
If the Red Hat idea is implemented in a consistent manner then it would
require removing code from SysVInit. Changing code that is working perfectly
to support code with less features is a bad idea.
Making the initramfs bigger is a problem, it slows booting for tftp boot
systems, it reduces space on the boot device, and there are situations where
you may reach some hard limit of size.
The patch for /sbin/init is very small, it will take less disk space overall
than the Red Hat idea.
There are lots of reasons for not following the Red Hat ideas on this issue.
While you might debate some of them you will find a lack of compelling
reasons for following Red Hat.
Philipp, thanks for your bug report. I'm a bit short of time this week, I
would appreciate if it you could do some tests with upstart compiled with
this patch. I will of course do all ongoing maintenance on this patch to
keep it up to date.
Finally please note that while Unstable can't boot when running SysVInit in
Enforcing mode due to policy bugs I will assign a lower priority to fixing
Upstart than I might otherwise.
diff -ru nose-upstart-0.3.9/init/Makefile.am upstart-0.3.9/init/Makefile.am
--- nose-upstart-0.3.9/init/Makefile.am 2007-10-12 07:00:29.000000000 +1000
+++ upstart-0.3.9/init/Makefile.am 2008-07-24 15:15:15.000000000 +1000
@@ -28,7 +28,7 @@
init_LDADD = \
../upstart/libupstart.la \
../nih/libnih.la \
- $(LTLIBINTL)
+ -lsepol -lselinux $(LTLIBINTL)
EXTRA_DIST = init.supp
diff -ru nose-upstart-0.3.9/init/main.c upstart-0.3.9/init/main.c
--- nose-upstart-0.3.9/init/main.c 2007-10-12 06:50:58.000000000 +1000
+++ upstart-0.3.9/init/main.c 2008-07-24 15:23:27.000000000 +1000
@@ -22,6 +22,7 @@
# include <config.h>
#endif /* HAVE_CONFIG_H */
+#include <selinux/selinux.h>
#include <sys/types.h>
#include <sys/time.h>
@@ -117,6 +118,21 @@
{
char **args;
int ret;
+ int enforce = 0;
+
+ if (getenv("SELINUX_INIT") == NULL) {
+ putenv("SELINUX_INIT=YES");
+ if (selinux_init_load_policy(&enforce) == 0 ) {
+ execv(argv[0], argv);
+ } else {
+ if (enforce > 0) {
+ /* SELinux in enforcing mode but load_policy failed */
+ /* At this point, we probably can't open /dev/console, so log() won't work */
+ fprintf(stderr,"Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.\n");
+ exit(1);
+ }
+ }
+ }
argv0 = argv[0];
nih_main_init (argv0);
