[DSE-Dev] init: delegate selinux operation to separate binary
Laurent Bigonville
bigon at debian.org
Thu May 16 10:43:28 BST 2019
On Thu, 16 May 2019 08:54:43 +0000 Dmitry Bogatov <KAction at debian.org>
wrote:
>
> From 7f6242e5f3d893e90b3ed44fb09abe5983c2d49a Mon Sep 17 00:00:00 2001
> From: Dmitry Bogatov <KAction at debian.org>
> Date: Wed, 15 May 2019 12:10:13 +0000
> Subject: [PATCH] init: delegate selinux operation to separate binary
>
> Move selinux-related logic from /sbin/init into separate binary
> (/sbin/selinux-check) by default. This way, /sbin/init is no longer
> linked aganist libselinux (and its transitive dependencies).
>
> If user need selinux initialization, she can install /sbin/selinux-check
> separately.
Can you please explain the rational behind this?
This looks like a bad idea to me. SELinux needs to be initialized as
soon as possible during the boot otherwise this will call for issues.
Was that discussed with anybody involved in SELinux in debian and/or
upstream?
More information about the SELinux-devel
mailing list