Package: upstart
Version: 0.6.3-1
Severity: wishlist
I tried to use upstart with SELinux and it looks that some bits are missing to
properly set it up. Ubuntu includes them in a package called "selinux".
What we need are two files in /etc/initramfs-tools/scripts/init-bottom as
attached. I'm not sure if upstart is the right package for it but considering
that it seems to work with normal inits and as it's mentioned in a related
"upstart with SELinux" bug over at Launchpad it might be a sane workaround.
The only change I applied wrt the Ubuntu package is to change the path to
load_policy from /sbin to /usr/sbin. As the script in question chroots to the
new root anyway this seems "somewhat" ok. Of course that fails if /usr is a
separate mount point, so in the long term that utility would need to be moved.
However, I've just started with SELinux so I cc'ed our two SELinux gurus on
that.
(On a sidenote: Sadly there is something wrong in sid so that Xorg cannot
communicate with hal/dbus after selinux is activated even in permissive mode
(maybe they are set into some selinux mode?), so one loses keyboard and mouse.
One is getting to the point of a getty prompt, though, if gdm is deactivated.)
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.31-rc6-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages upstart depends on:
ii initscripts 2.87dsf-2 scripts for initializing and shutt
ii libc6 2.9-25 GNU C Library: Shared libraries
ii libdbus-1-3 1.2.16-2 simple interprocess messaging syst
ii sysv-rc 2.87dsf-2 System-V-like runlevel change mech
ii sysvinit-utils 2.87dsf-2 System-V-like utilities
upstart recommends no packages.
upstart suggests no packages.
-- no debconf information
#! /bin/sh
set -e
.. /scripts/functions
PREREQ="framebuffer console_setup"
prereqs () {
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
# Mount the selinux directory in both the ramdisk's root as well as in
# the real root directory.
mkdir -p /selinux
mkdir -p ${rootmnt}/selinux
# Temporarily pivot to the real root directory, loading the policy
# from that disk. Normally this process will occur by init, but kinit
# is not compiled against libselinux. Therefore use load_policy to
# perform the same initialization.
set +e
chroot ${rootmnt} /usr/sbin/load_policy -i
RET=$?
if [ $RET -eq 3 ]; then
panic "SELinux policy load failed and enforcing mode requested, halting now"
kill -INT 1
elif [ $RET -ne 0 ]; then
log_warning_msg "SELinux policy load failed, continuing"
else
log_success_msg "SELinux policy was loaded"
fi
mount -t selinuxfs none /selinux || \
log_warning_msg "Unable to mount /selinux"
exit 0
#! /bin/sh
set -e
.. /scripts/functions
PREREQ="framebuffer console_setup"
prereqs () {
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
# temporarily mount so that it can be relabeled
mount --bind -o rw /dev ${rootmnt}/dev
set +e
# restore the labels in /dev
chroot ${rootmnt} /sbin/restorecon -R /dev
RET=$?
if [ $RET -ne 0 ]
then
log_warning_msg "Restorecon failed to relabel /dev, continuing"
fi
set -e
umount ${rootmnt}/dev
exit 0
