Re: Parallellizing the boot in Debian Squeeze - ready for wider testing

[Manoj Srivastava <srivasta@ieee.org>]

On Sun, May 09 2010, Steve Langasek wrote:

> On Sun, May 09, 2010 at 02:45:39PM -0700, Manoj Srivastava wrote:
>>         One of my concerns about upstart is that systems that want to
>>  use SELinux and upstart _have_ to also use an initramfs, which is yet
>>  another component of the system that has to be audited.  There have
>>  been patches proposed, and semi-rejected b the upstart folks, who are
>>  of the opinions that only systems using initramfs need apply.
>
>>         The bug report in question is #543420, please read it for the
>>  details (I am arguably biased). I am also willing to re-work the patch
>>  to not link with libsepol, so minimizing the dependencies to
>>  libselinux. 
>
> In speaking with upstart upstream, I understand that the argument against
> linking to libselinux is that, as the kernel is neutral wrt the choice of
> LSM, the init process should be also.  Linking it against libselinux would
> not be LSM-neutral.

        Could you perhaps expand on this a bit? The patch I submitted by
 no means makes upstart require SELinux, nor does it preclude supporting
 other security modules. Indeed, any other LSM support that is needed
 can still be patched in. I think that we could get an upstart that
 support all LSM's natively, as opposed to supporting none, at very
 little added in the way of maintenance overhead.

> And you don't have to use an initramfs; the same result could be
> achieved with a shim init on the root filesystem that does nothing but
> set up the SELinux context correctly and then exec upstart.

        err, does that mean sham init? If so, I suppose that is
 something that can be explored. Russell, comments?

        manoj
-- 
All the world's a stage and most of us are desperately unrehearsed. Sean
O'Casey
Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/>  
4096R/C5779A1C E37E 5EC5 2A01 DA25 AD20  05B6 CF48 9438 C577 9A1C