Re: [RFC] change policy loading to initramfs

[Stephen Smalley <sds tycho nsa gov>]

On Wed, 2008-01-23 at 17:29 -0500, Bill Nottingham wrote:
> We're looking to move to a different init system in Fedora - the
> current work is going to be around upstart, most likely. upstart
> does not have native code for loading the SELinux policy.
> 
> We could modify every possible init to load the policy... but
> that would be painful. So we might as well move to having the
> policy loaded from the initramfs. The attached patches are the
> first quick cut at doing that.
> 
> The main patch is for mkinitrd/nash; there's a short patch for the
> current init, as it will abort if policy is already loaded. We
> can't actually remove the code from init to load the policy, as
> there will always be older initramfses.
> 
> Comments? Ideas for different ways to do this? It's sort of ugly
> with fork and chroot(), but to avoid that we'd have to reimplement
> most, if not all, of libselinux's policy loading code directly.

Hmm...Chad Sellers was working on similar support for Ubuntu, but did it
by adding a -i option to the load_policy program to perform an initial
policy load so that you can just execute it from a script rather than
requiring a direct patch to nash or anything else.  cc'ing him.  The
load_policy -i support is upstream and should be in Fedora devel /
rawhide too.

> Bill
> --
> fedora-selinux-list mailing list
> fedora-selinux-list redhat com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- 
Stephen Smalley
National Security Agency