On 5/22/19 11:57 AM, Thorsten Glaser wrote: > On Wed, 22 May 2019, Jesse Smith wrote: > >> I don't think removing the SELinux dependency from init actually saves >> us any RAM. Several other services link to these libraries too, so the > Maybe, maybe not. (I’m fairly sure I’ve got some VMs without.) > > Other services can, however, be more easily restarted than the entire > system, in case of a security fix for that library. > >
How do you think an attacker would exploit a flaw in a SELinux library through init? SysV init doesn't interact with the user, doesn't read any files directly after it's up and running, doesn't listen on any sockets. About the only way to interact with PID1 is through a pipe that can only be written to by root.