[DSE-Dev] Bug#929063: init: delegate selinux operation to separate binary

Thorsten Glaser t.glaser at tarent.de
Wed May 22 12:28:39 BST 2019

On Wed, 22 May 2019, Laurent Bigonville wrote:

> So let's be it clear for the record. I'll personally oppose all patches that
> would undermine the consistency and the experience of using SELinux in debian.

Erm… all the patch does is move the SELinux call into a separate
executable so that init itself does not need to be linked against
those libraries and doesn’t need to keep them resident (and will
not be affected by flaws in those libraries, keeping the attack
surface small, unlike *cough* others).

As long as that other executable will end up in the same binary
package in Debian, there will be no user-visible change save for
saving some RAM.

(I’m not quite convinced the effort is worth it, but given that
this would be changed upstream, and that there are likely other
users of the same upstream code who’re _not_ using SELinux, this
would be very welcomed by those, so I’m okay with it.)

tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-235
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg


Mit der tarent Academy bieten wir auch Trainings und Schulungen in den
Bereichen Softwareentwicklung, Agiles Arbeiten und Zukunftstechnologien an.

Besuchen Sie uns auf www.tarent.de/academy. Wir freuen uns auf Ihren Kontakt.


More information about the SELinux-devel mailing list