From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.sws.net.au (smtp.sws.net.au [144.76.186.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CD315EED8 for ; Fri, 19 Jun 2026 07:38:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=144.76.186.9 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781854716; cv=none; b=TasocHsocTNMMLFko6+tBoE1F4StBLhbcFlbICykP45OykXDTSXQNxeolfYObBgUv21hl/oh8dtGWCX23TwvmKBwccuJGoJPe1MNZEAYPL5khcyuBt74/XjRy+wnAfZng1P8liVKyhxNaiP02xN8OQ+LnLg/crXg4gTxoYXnzJE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781854716; c=relaxed/simple; bh=sKY88pxTlt1ddf13P8QD+kEbluJgZMyxiTTxt9k0wC0=; h=From:To:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=pFR89qXCcBA8jp5hwAVNoJzicmhfsqzpP1co7IbJVNhQh5tP2P7e4QgjOvI1tAkV+3sOWbmWTE2+t3x7HoY0I/Hm6JwfmlrbiuKMB24rKfSX6ley+f1NCTIFxnYaBCtM00XXoEZk4pLenjJCNPttxUJinQe2fj52HivITgMhnTc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=coker.com.au; spf=pass smtp.mailfrom=coker.com.au; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b=Bg5+13YW; arc=none smtp.client-ip=144.76.186.9 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=coker.com.au Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=coker.com.au Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="Bg5+13YW" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1781854713; bh=bVEGJm2fWMArGb1/8CwRZL6SKw6ME9ooghhw9Iv+sUg=; l=825; h=From:To:Subject:Date:In-Reply-To:References:From; b=Bg5+13YW3+cwiaEKrQIkm6MhkegK++XWd0Ia6iYFZMWLjzkD7BjZOr+vaSe7oSeBA htCIW4tnFcgHYmQCHc6kilcOfZ/MXSOosg2vWRLKKk5TyirUOZ3MhKaEr8oIkFP+6d 015/obNM+0QtHvwwNNwF+t92ryGJjtCLLUuecbyk= Received: from liv.coker.com.au (unknown [IPv6:2001:4479:6205:8300:3373:34fb:f861:c4e0]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) (Authenticated sender: russell@coker.com.au) by smtp.sws.net.au (Postfix) with ESMTPSA id A7D2313529; Fri, 19 Jun 2026 17:38:31 +1000 (AEST) From: Russell Coker To: "Christopher J. PeBenito" , Rahul Sandhu , selinux-refpolicy@vger.kernel.org Subject: Re: RFC: earlyinit_t Date: Fri, 19 Jun 2026 17:38:47 +1000 Message-ID: <2563044.CQOukoFCf9@dojacat> In-Reply-To: References: <11134e3a-de7e-4475-9c9e-aeb00c276974@ieee.org> Precedence: bulk X-Mailing-List: selinux-refpolicy@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="utf-8" On Friday, 19 June 2026 09:30:55 AEST Rahul Sandhu wrote: > I think the concern is less that and moreso when policy is loaded. Off > the top of my head, an example I can think of was one system I saw from > a little while back which had the policy binary in the initramfs itself > and hence loaded it midway through initramfs' setup and the switchroot. Who does that nowadays? https://etbe.coker.com.au/2008/07/24/se-linux-policy-loading/ I've written about my past tests with initrd policy and why I decided that was a bad idea. > Once policy is loaded however, I'm not aware of any _processes_ that do > persist beyond the initramfs. On my system, both journald and udev end > up re-exec'd for example. Great! -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/