Re: The future of the boot system in Debian
Hi,
One of the features missing in upstart that is present in
sysvinit is that the latter loads SELinux security policy early in the
boot sequence, and the former does not (please correct me if this is not
the case). I would be happy to help integrate selinux into upstart,
if that is the future of booting in Debian.
Having /sbin/init load the security policy is good because:
a) Doing it in an init script makes it easier to by pass security by
running another script earlier (so a malicious superuser may
trivially bypass security on reboot). This is even harder to prevent
using an event based system.
b) Using an init script makes it impossible to enforce security
policies and access control over which files /sbin/init may read,
c) Since it is compiled in, there is no dependency on things in
/usr/bin -- like load_policy, which also needs libsepol1 from /usr,
which is not small,
d) Putting policy loading in initramfs is bad for two reasons:
i) It means we would not longer suport SELinux use without having to
use initramfs -- my machines do not use either an initramfs, nor
modules -- which is easy when using custome kernels, and I think
is a use case Debian should continue to support
ii) We would need to either patch something in the initramfs to link
with libselinux1, to load policy directly, or we will have to
load into the initramfs load_policy and libsepol1 from /usr,
Adding a couple f small hunks to whatever provides /sbin/init
seems easier.
e) At this point, we only have two candidates for /sbin/init, sysvinit
and upstart, so the burden of writing patches is no onerous, and in
any case, I am volunteering to help create the patches.
manoj
ps: The sysvinit patches are rather small, and just two chunks (apart
from header includes. This is in init.c:
--8<---------------cut here---------------start------------->8---
#ifdef WITH_SELINUX
if (getenv("SELINUX_INIT") == NULL && !is_selinux_enabled()) {
putenv("SELINUX_INIT=YES");
if (selinux_init_load_policy(&enforce) == 0 ) {
execv(myname, argv);
} else {
if (enforce > 0) {
/* SELinux in enforcing mode but load_policy failed */
/* At this point, we probably can't open /dev/console, so log() won't work */
fprintf(stderr,"Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.\n");
exit(1);
}
}
}
#endif
/* Start booting. */
--8<---------------cut here---------------end--------------->8---
This is in src/sulogin.c
--8<---------------cut here---------------start------------->8---
#ifdef WITH_SELINUX
if (is_selinux_enabled > 0) {
security_context_t scon=NULL;
char *seuser=NULL;
char *level=NULL;
if (getseuserbyname("root", &seuser, &level) == 0)
if (get_default_context_with_level(seuser, level, 0, &scon) > 0) {
if (setexeccon(scon) != 0)
fprintf(stderr, "setexeccon faile\n");
freecon(scon);
}
free(seuser);
free(level);
}
#endif
execl(sushell, shell, NULL);
perror(sushell);
--8<---------------cut here---------------end--------------->8---
--
It is easier to resist at the beginning than at the end. Leonardo da
Vinci
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: