[DSE-Dev] The future of the boot system in Debian

Manoj Srivastava srivasta at debian.org
Sun Sep 6 06:45:35 UTC 2009 

Package: upstart
Severity: wishlist
Version: 0.6.3
Tags: patch

On Sat, Sep 05 2009, Manoj Srivastava wrote:

>         One of the features missing in upstart that is present in
>  sysvinit is that the latter loads SELinux security policy early in the
>  boot sequence, and the former does not (please correct me if this is not
>  the case).  I would be happy to help integrate selinux  into upstart,
>  if that is the future of booting in Debian.
>
>         Having /sbin/init load the security policy is good because:
>  a) Doing it in an init script  makes it easier to by pass security by
>     running another script earlier (so a malicious superuser may
>     trivially bypass security on reboot). This is even harder to prevent
>     using an event based system.
>  b) Using an init script makes it impossible to enforce security
>     policies and access control over which files /sbin/init may read,
>  c) Since it is compiled in, there is no dependency on things in
>     /usr/bin -- like load_policy, which also needs libsepol1 from /usr,
>     which is not small,
>  d) Putting policy loading in initramfs is bad for two reasons:
>     i) It means we would not longer suport SELinux use without having to
>        use initramfs -- my machines do not use either an initramfs, nor
>        modules -- which is easy when using custome kernels, and I think
>        is a use case Debian should continue to support
>    ii) We would need to either patch something in the initramfs to link
>        with libselinux1, to load policy directly, or we will have to
>        load into the initramfs load_policy and libsepol1 from /usr,
>        Adding a couple f small hunks to whatever provides /sbin/init
>        seems easier.
>  e) At this point, we only have two candidates for /sbin/init, sysvinit
>     and upstart, so the burden of writing patches is no onerous, and in
>     any case, I am volunteering to help create the patches.

        Well, here is a (lightly) tested patch for upstart.

        manoj

-------------- next part --------------
A non-text attachment was scrubbed...
Name: upstart-selinux.patch
Type: text/x-diff
Size: 6711 bytes
Desc: Patdh adding SELinux support
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20090906/cff44c6d/attachment.patch>
-------------- next part --------------


-- 
I would rather say that a desire to drive fast sports cars is what sets
man apart from the animals.
Manoj Srivastava <srivasta at debian.org> <http://www.debian.org/~srivasta/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

More information about the SELinux-devel mailing list