[DSE-Dev] init: delegate selinux operation to separate binary

Wed May 22 00:45:09 BST 2019

[2019-05-18 15:00] Laurent Bigonville <bigon at debian.org>
> I've seen that in your commit, I just don't understand why this is even 
> a goal.

Because I do not want to pay for what I do not use. It is matter of good
design and Unix way.

> libselinux is really small and only pulls libpcre3 which is pulled by
> grep (which is Essential). It's not possible today to install debian
> without libselinux installed anyway.

Path of a thousand miles starts with a single step.

> Also, what's your plan regarding packaging? Would that executable be
> put in a separate package?

Yes, that the plan.

> TBRH I spent a lot of time working opening bugs/submitting patches in
> debian so the user who wants to use SELinux can get (an almost) out of
> the box experience in debian and I would not really be happy to see
> that attempt to revert that in a core component.

And I spend a lot of time of not having useless things installed on my
box.

What is wrong with having selinux support in separate package? Just
enable "Apt::InstallSuggests" and you are golden.

> If you really (really) want to go that way, maybe you should use a
> private path for the helper (as it shouldn't be called my regular users 
> after the initial load) and/or use a less common name than "selinux-check".

No problem. I do not insist on any particular naming of helper and I
installed it into sbin just to reduce Makefile part of patch.

It was my plan to install it into /lib/init/ anyway, and you are welcome
to propose any name. What do you suggest?

> >> Was that discussed with anybody involved in SELinux in debian and/or
> >> upstream?
> > That is exactly place to start discussion. Luckily, Jesse is following
> > BTS, and I do not have to go through Savannah issue tracker.
>
> I was more thinking about upstream SELinux people

Okay. I see you added "selinux-devel" into thread. Thank you.

Dear selinux-devel maintainers, we are considering moving following
check from /sbin/init into subprocess:

   if (getenv("SELINUX_INIT") == NULL) {
     if (is_selinux_enabled() != 1) {
       if (selinux_init_load_policy(&enforce) == 0) {
         putenv("SELINUX_INIT=YES");
         execv(myname, argv);
       } else {
         if (enforce > 0) {
           /* SELinux in enforcing mode but load_policy failed */
           /* At this point, we probably can't open /dev/console, so log() won't work */
           fprintf(stderr,"Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.\n");
           exit(1);
         }
       }
     }
   }

Are there any possible unwanted side-effects? Any suggestions about it?
-- 
        Note, that I send and fetch email in batch, once every 24 hours.
                 If matter is urgent, try https://t.me/kaction
                                                                             --