[DSE-Dev] Bug#753727: Bug#753727: reason for this
Laurent Bigonville
bigon at debian.org
Sat Jul 5 09:03:32 UTC 2014
Le Sat, 05 Jul 2014 11:46:08 +1000,
Russell Coker <russell at coker.com.au> a écrit :
> > The current version of libselinux1.postint runs "telinit u" to tell
> > init to re-exec itself. This was added so the system can shutdown
> > cleanly when sysvinit is the active PID 1.
>
> AFAIK that was never the case.
>
> The reason for running "telinit u" when a shared object that init
> uses is upgraded is so that init will start using the new version.
>
> I don't think we can unconditionally avoid such an operation. If at
> some future time we find a security flaw in one of those libraries
> that can affect the operation of process 1 there needs to be a way of
> causing the buggy library to be removed from memory. If systemd is
> unable to handle this correctly then that would be a bug in systemd.
>
> Also there is the possibility of an upgrade requiring a file format
> change to something under /etc/selinux. Upgrades of SE Linux user
> space between major versions of Debian without a reboot are
> officially unsupported (I'll close any bug report of the form "I did
> a dist-upgrade from wheezy to jessie without rebooting and things
> didn't work correctly"), so this shouldn't be a problem.
>
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=753790
>
> I don't think that systemd needs to get the new library instantly
> (not even for a security issue). But it definitely needs to get it
> before the next reboot (which may be a year later). So maybe we
> could have a trigger or something and let systemd work it out. I
> have filed bug report #753790 against systemd for this.
>
Quickly looking a the libsepol case, I'm not sure why we are
re-executing init in this case at all. sysvinit doesn't seems to use
any of its symbols and libselinux itself is statically linked against
it.
Or did I overlooked something?
Cheers,
Laurent Bigonville
More information about the SELinux-devel
mailing list