Bug#929063: init: delegate selinux operation to separate binary
Dmitry Bogatov
KAction at debian.org
Thu May 23 17:27:00 BST 2019
[2019-05-22 18:24] Jesse Smith <jsmith at resonatingmedia.com>
> On Wed, 22 May 2019 13:28:39 +0200 (CEST) Thorsten Glaser wrote:
> >
> > (I’m not quite convinced the effort is worth it, but given that
> > this would be changed upstream, and that there are likely other
> > users of the same upstream code who’re _not_ using SELinux, this
> > would be very welcomed by those, so I’m okay with it.)
>
> I'd like to point out that init already has compile-time defines in the
> code which check for the existence of SELinux (using the variable
> WITH_SELINUX). If WITH_SELINUX is not defined at compile time, then the
> SELinux code isn't built into init. So other projects, perhaps Debian
> Hurd or FreeBSD, can already build init without SELinux features.
Sure. Difference is in convenience. One thing is when you have to
re-compile program to get those and only those features you need (hi,
Gentoo) and another is when you just install and uninstall pre-compiled
binaries.
Also, every WITH_FOO flag doubles number of configurations your program
have. Once you have dozen of flags, you no longer can test all of
configurations.
I am surprised, that there is so much controversy on whether it is good
to have some feature of program pluggable without re-compilation. The
only real concern that was raised, as I see it, is how SELinux interacts
with extra fork/exec.
--
Note, that I send and fetch email in batch, once every 24 hours.
If matter is urgent, try https://t.me/kaction
--
More information about the Debian-init-diversity
mailing list