[DSE-Dev] init: delegate selinux operation to separate binary

Laurent Bigonville bigon at debian.org
Thu May 16 10:51:54 BST 2019


Le 16/05/19 à 11:43, Laurent Bigonville a écrit :
> On Thu, 16 May 2019 08:54:43 +0000 Dmitry Bogatov <KAction at debian.org> 
> wrote:
> >
> > From 7f6242e5f3d893e90b3ed44fb09abe5983c2d49a Mon Sep 17 00:00:00 2001
> > From: Dmitry Bogatov <KAction at debian.org>
> > Date: Wed, 15 May 2019 12:10:13 +0000
> > Subject: [PATCH] init: delegate selinux operation to separate binary
> >
> > Move selinux-related logic from /sbin/init into separate binary
> > (/sbin/selinux-check) by default. This way, /sbin/init is no longer
> > linked aganist libselinux (and its transitive dependencies).
> >
> > If user need selinux initialization, she can install 
> /sbin/selinux-check
> > separately.
>
> Can you please explain the rational behind this?
>
> This looks like a bad idea to me. SELinux needs to be initialized as 
> soon as possible during the boot otherwise this will call for issues.
>
> Was that discussed with anybody involved in SELinux in debian and/or 
> upstream?
>
Note that if you want to reduce the dependencies, you can drop 
"-libsepol" from INITLIBS in src/Makefile.

This is not needed (anymore?)




More information about the SELinux-devel mailing list