On Sun, May 09, 2010 at 02:45:39PM -0700, Manoj Srivastava wrote: > One of my concerns about upstart is that systems that want to > use SELinux and upstart _have_ to also use an initramfs, which is yet > another component of the system that has to be audited. There have > been patches proposed, and semi-rejected b the upstart folks, who are > of the opinions that only systems using initramfs need apply. > The bug report in question is #543420, please read it for the > details (I am arguably biased). I am also willing to re-work the patch > to not link with libsepol, so minimizing the dependencies to > libselinux. In speaking with upstart upstream, I understand that the argument against linking to libselinux is that, as the kernel is neutral wrt the choice of LSM, the init process should be also. Linking it against libselinux would not be LSM-neutral. And you don't have to use an initramfs; the same result could be achieved with a shim init on the root filesystem that does nothing but set up the SELinux context correctly and then exec upstart. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ slangasek@ubuntu.com vorlon@debian.org
Attachment:
signature.asc
Description: Digital signature