Re: Parallellizing the boot in Debian Squeeze - ready for wider testing
On Sun, May 09 2010, Steve Langasek wrote:
> On Sun, May 09, 2010 at 02:45:39PM -0700, Manoj Srivastava wrote:
>> One of my concerns about upstart is that systems that want to
>> use SELinux and upstart _have_ to also use an initramfs, which is yet
>> another component of the system that has to be audited. There have
>> been patches proposed, and semi-rejected b the upstart folks, who are
>> of the opinions that only systems using initramfs need apply.
>
>> The bug report in question is #543420, please read it for the
>> details (I am arguably biased). I am also willing to re-work the patch
>> to not link with libsepol, so minimizing the dependencies to
>> libselinux.
>
> In speaking with upstart upstream, I understand that the argument against
> linking to libselinux is that, as the kernel is neutral wrt the choice of
> LSM, the init process should be also. Linking it against libselinux would
> not be LSM-neutral.
Could you perhaps expand on this a bit? The patch I submitted by
no means makes upstart require SELinux, nor does it preclude supporting
other security modules. Indeed, any other LSM support that is needed
can still be patched in. I think that we could get an upstart that
support all LSM's natively, as opposed to supporting none, at very
little added in the way of maintenance overhead.
> And you don't have to use an initramfs; the same result could be
> achieved with a shim init on the root filesystem that does nothing but
> set up the SELinux context correctly and then exec upstart.
err, does that mean sham init? If so, I suppose that is
something that can be explored. Russell, comments?
manoj
--
All the world's a stage and most of us are desperately unrehearsed. Sean
O'Casey
Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/>
4096R/C5779A1C E37E 5EC5 2A01 DA25 AD20 05B6 CF48 9438 C577 9A1C
Reply to: