On Tue, 25 Aug 2009, Michael Biebl <[email protected]> wrote: > first of all, thanks for the patches and interest you've shown so far. > > As maintainer of upstart I currently prefer the initramfs solution given > the following arguments: > > - selinux is only used a by very low percentage of our users
As is Upstart, as is having /usr as a separate filesystem. > - linking against selinux means the list of dependencies increases, which > increases the potential for failures. I try to keep the dependencies as > minimal as possible. Can you cite any examples of failures in SysVInit from this? Note that SysVInit has been compiled this way for a long time and is much more popular than Upstart. > - the package will be entangled in libselinux testing transitions > (libselinux seems to bump shlibs very regularly) Has this caused problems for SysVInit? > - I don't see a good reason to patch each and every /sbin/init if we can > just add support in one place, i.e. the initramfs We will have two /sbin/init programs available in Lenny. We have patches for both of them. As I noted previously your plan involves breaking support for systems without an initramfs. You have not yet provided a good reason for ceasing such support. > - I would include the selinux initramfs bits in one of the selinux > packages, so people not using selinux won't get the additional bloat. As /bin/ls is linked against libselinux every user will have it installed. If you are worried about "additional bloat" then you will want to not require load_policy to be in the root filesystem and allow it to be in /usr (it's current location). This means not changing the way the initramfs works. > Btw, > it would be good to have hard numbers, by what size the initramfs > increases. I don't use selinux, so I can't tell. Why don't you just build an initramfs in the manner you advocate? You don't need to use SE Linux to build the initramfs. > - upstream selinux and upstart maintainers seem to prefer the initramfs > solution. I'm one of the upstream SE Linux developers. Any claim that there is agreement among upstream developers on this issue is false. > Without compelling arguments I won't divert from that decision. > - given that upstream is not going to include the selinux patch in upstart > (as it currently stand), I'd have to carry the patch forever. Not something > I'm very fond of. What if we have an upstart-selinux package that provides /sbin/init which loads policy? I can maintain that as an alternative to the main upstart package. -- [email protected] http://etbe.coker.com.au/ My Main Blog http://doc.coker.com.au/ My Documents Blog -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
