Bug#929063: init: delegate selinux operation to separate binary
Jesse Smith
jsmith at resonatingmedia.com
Thu May 23 20:31:02 BST 2019
On Thu, 23 May 2019 16:27:00 +0000 Dmitry Bogatov wrote:
>
>
> Also, every WITH_FOO flag doubles number of configurations your program
> have. Once you have dozen of flags, you no longer can test all of
> configurations.
Why not?
>
> I am surprised, that there is so much controversy on whether it is good
> to have some feature of program pluggable without re-compilation. The
> only real concern that was raised, as I see it, is how SELinux interacts
> with extra fork/exec.
The proposed patch doesn't seem to make the feature pluggable, it just
moves the feature to a second binary. There isn't anything here which
toggles the feature on/off, or lets the admin enable/disable it.
That being said, I'd be open to applying this upstream, with four
conditions or changes:
1. The selinux-check binary should probably be renamed so it is clear
this program is part of the SysV init suite. Maybe calling it something
like /sbin/sysvinit-selinux-check? I'm open to suggestions as to what it
should be called.
2. The patch should respect the compile-time define WITH_SELINUX in both
init.c and in the check-selinux.c code. Otherwise the build will either
fail or attempt to perform unnecessary fork/exec on systems without
SELinux, like Hurd and kFreeBSD. In fact, the Makefile should skip
building & installing check-selinux.c completely if SELinux is not
available on that platform. Otherwise we are making things more resource
hungry and complex on systems where SELinux is not included, rather than
less.
3. The new binary/helper program should have a man page.
4. There should be a test or script presented that demonstrates SELinux
still works properly with this approach. I don't want to open a security
issue by moving SELinux support to a non-PID1 binary.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/debian-init-diversity/attachments/20190523/1925a5b8/attachment.html>
More information about the Debian-init-diversity
mailing list