[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Parallellizing the boot in Debian Squeeze - ready for wider testing

On Sun, May 09, 2010 at 06:09:10PM -0700, Manoj Srivastava wrote:
> > In speaking with upstart upstream, I understand that the argument against
> > linking to libselinux is that, as the kernel is neutral wrt the choice of
> > LSM, the init process should be also.  Linking it against libselinux would
> > not be LSM-neutral.

>         Could you perhaps expand on this a bit? The patch I submitted by
>  no means makes upstart require SELinux, nor does it preclude supporting
>  other security modules. Indeed, any other LSM support that is needed
>  can still be patched in. I think that we could get an upstart that
>  support all LSM's natively, as opposed to supporting none, at very
>  little added in the way of maintenance overhead.

Given the difference in how kernels vs. init daemons are usually
administered as part of a system, I think the runtime impact of supporting
multiple LSMs in init is much more significant than supporting multiple LSMs
in the kernel.  I don't think we want init to have shared lib deps for each
of the available LSMs.

> > And you don't have to use an initramfs; the same result could be
> > achieved with a shim init on the root filesystem that does nothing but
> > set up the SELinux context correctly and then exec upstart.

>         err, does that mean sham init?

"shim" is the word I mean.

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Attachment: signature.asc
Description: Digital signature

Reply to: