[DSE-Dev] init: delegate selinux operation to separate binary
Dmitry Bogatov
KAction at debian.org
Sat May 18 12:31:30 BST 2019
[2019-05-16 11:43] Laurent Bigonville <bigon at debian.org>
> On Thu, 16 May 2019 08:54:43 +0000 Dmitry Bogatov <KAction at debian.org>
> wrote:
> >
> > From 7f6242e5f3d893e90b3ed44fb09abe5983c2d49a Mon Sep 17 00:00:00 2001
> > From: Dmitry Bogatov <KAction at debian.org>
> > Date: Wed, 15 May 2019 12:10:13 +0000
> > Subject: [PATCH] init: delegate selinux operation to separate binary
> Can you please explain the rational behind this?
This way, /sbin/init is no longer linked aganist libselinux (and its
transitive dependencies).
If user need selinux initialization, she can install
/sbin/selinux-check separately.
> This looks like a bad idea to me. SELinux needs to be initialized as
> soon as possible during the boot otherwise this will call for issues.
As you may see, this patch does not change time during boot, when
selinux functions are called -- only moves them into child process.
> Was that discussed with anybody involved in SELinux in debian and/or
> upstream?
That is exactly place to start discussion. Luckily, Jesse is following
BTS, and I do not have to go through Savannah issue tracker.
PS. I removed -lselinux from INITLIBS in src/Makefile.
--
Note, that I send and fetch email in batch, once every 24 hours.
If matter is urgent, try https://t.me/kaction
--
More information about the SELinux-devel
mailing list