Russell Coker wrote: > On Tuesday 25 August 2009 13:51:14 Manoj Srivastava wrote: >> Suse actually copies the file over into the initramfs, instead >> of moving the file from /usr/sbin to /sbin; since the only place this >> is even marginally useful is before init has started; init loads >> selinux policy dorectly without needing load_policy, and re-exec's >> itself. >> >> Given that it is useful during very early biit before init is >> stated, it would be good solution to add this file to the >> initramfs. other wise even people not sing initrafs will have a larger >> / > > Actually it is not useful at all to do such things before init is started. > > All processes that run before init have super-user access. There is no > benefit > in confining them. > > init is quite good at loading the policy. We only need to load it > automatically in one place. init is about initialising the system, this > includes loading the policy. > > The smallest possible size of the root filesystem will be achieved if init is > the only code on it that loads policy. Having several copies of load_policy > in the various initramfs files (backup files, files for Xen and non-Xen > kernels, > and for different kernel versions) takes more space on /boot (which is often > the root filesystem). > > We have had init loading the policy for years, there is no problem with this. > > There is no need for a change.
Hi everyone, first of all, thanks for the patches and interest you've shown so far. As maintainer of upstart I currently prefer the initramfs solution given the following arguments: - selinux is only used a by very low percentage of our users - linking against selinux means the list of dependencies increases, which increases the potential for failures. I try to keep the dependencies as minimal as possible. - the package will be entangled in libselinux testing transitions (libselinux seems to bump shlibs very regularly) - I don't see a good reason to patch each and every /sbin/init if we can just add support in one place, i.e. the initramfs - I would include the selinux initramfs bits in one of the selinux packages, so people not using selinux won't get the additional bloat. Btw, it would be good to have hard numbers, by what size the initramfs increases. I don't use selinux, so I can't tell. - upstream selinux and upstart maintainers seem to prefer the initramfs solution. Without compelling arguments I won't divert from that decision. - given that upstream is not going to include the selinux patch in upstart (as it currently stand), I'd have to carry the patch forever. Not something I'm very fond of. Cheers, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
signature.asc
Description: OpenPGP digital signature
