[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: The future of the boot system in Debian


        One of the features missing in upstart that is present in
 sysvinit is that the latter loads SELinux security policy early in the
 boot sequence, and the former does not (please correct me if this is not
 the case).  I would be happy to help integrate selinux  into upstart,
 if that is the future of booting in Debian.

        Having /sbin/init load the security policy is good because:
 a) Doing it in an init script  makes it easier to by pass security by
    running another script earlier (so a malicious superuser may
    trivially bypass security on reboot). This is even harder to prevent
    using an event based system.
 b) Using an init script makes it impossible to enforce security
    policies and access control over which files /sbin/init may read,
 c) Since it is compiled in, there is no dependency on things in
    /usr/bin -- like load_policy, which also needs libsepol1 from /usr,
    which is not small,
 d) Putting policy loading in initramfs is bad for two reasons:
    i) It means we would not longer suport SELinux use without having to
       use initramfs -- my machines do not use either an initramfs, nor
       modules -- which is easy when using custome kernels, and I think
       is a use case Debian should continue to support
   ii) We would need to either patch something in the initramfs to link
       with libselinux1, to load policy directly, or we will have to
       load into the initramfs load_policy and libsepol1 from /usr,
       Adding a couple f small hunks to whatever provides /sbin/init
       seems easier.
 e) At this point, we only have two candidates for /sbin/init, sysvinit
    and upstart, so the burden of writing patches is no onerous, and in
    any case, I am volunteering to help create the patches.


ps: The sysvinit patches are rather small, and just two chunks (apart
from header includes. This is in init.c:
--8<---------------cut here---------------start------------->8---
        if (getenv("SELINUX_INIT") == NULL && !is_selinux_enabled()) {
          if (selinux_init_load_policy(&enforce) == 0 ) {
            execv(myname, argv);
          } else {
            if (enforce > 0) {
              /* SELinux in enforcing mode but load_policy failed */
              /* At this point, we probably can't open /dev/console, so log() won't work */
                    fprintf(stderr,"Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.\n");
        /* Start booting. */
--8<---------------cut here---------------end--------------->8---

        This is in src/sulogin.c
--8<---------------cut here---------------start------------->8---
        if (is_selinux_enabled > 0) {
          security_context_t scon=NULL;
          char *seuser=NULL;
          char *level=NULL;
          if (getseuserbyname("root", &seuser, &level) == 0)
                  if (get_default_context_with_level(seuser, level, 0, &scon) > 0) {
                          if (setexeccon(scon) != 0) 
                                  fprintf(stderr, "setexeccon faile\n");
        execl(sushell, shell, NULL);
--8<---------------cut here---------------end--------------->8---

It is easier to resist at the beginning than at the end. Leonardo da
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to: