From: Lennart Poettering <mzerqung@0pointer.de>
To: Roberto Sassu <roberto.sassu@polito.it>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>,
selinux@lists.fedoraproject.org, initramfs@vger.kernel.org,
systemd-devel@lists.freedesktop.org,
linux-kernel@vger.kernel.org, Harald Hoyer <harald@redhat.com>
Subject: Re: [systemd-devel] dracut: ordering of modules
Date: Fri, 10 Feb 2012 19:14:14 +0100 [thread overview]
Message-ID: <20120210181413.GA13111@tango.0pointer.de> (raw)
In-Reply-To: <4F353840.8050505@polito.it>
On Fri, 10.02.12 16:31, Roberto Sassu (roberto.sassu@polito.it) wrote:
>
> Hi Mimi
>
> i'm CCing the systemd and Fedora SELinux mailing lists.
>
> Unfortunately, the SELinux policy initialization (at least
> in Fedora 16) has been moved to systemd, so, now, loading an
> IMA policy cannot be done in the initial ramdisk.
>
> Further, the SELinux policy loading code is not in a unit file
> but embedded in the main binary, which means that the new code for
> loading IMA policies must be added just after that point.
>
> I already wrote a patch for this. I need some time to test it
> and will post in the systemd mailing list at the beginning of
> the next week.
Hmm, what is this about? You need a place to load additional security
policies into the kernel at early boot? For SELinux that indeed takes
place from within PID 1 now in systemd. I'd expect that other security
technologies like AppArmor should work the same.
If you want to hack on this basing your work on selinux-setup.c in the
systemd tree should be fairly easy.
Lennart
--
Lennart Poettering - Red Hat, Inc.
next prev parent reply other threads:[~2012-02-10 18:14 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-10 15:01 dracut: ordering of modules Mimi Zohar
2012-02-10 15:31 ` Roberto Sassu
2012-02-10 18:14 ` Lennart Poettering [this message]
2012-02-12 0:17 ` [systemd-devel] " Mimi Zohar
2012-02-13 9:59 ` Harald Hoyer
2012-02-13 10:17 ` Roberto Sassu
2012-02-13 10:29 ` Harald Hoyer
2012-02-13 17:00 ` Daniel J Walsh
2012-02-14 15:53 ` Roberto Sassu
2012-02-14 18:53 ` Daniel J Walsh
2012-02-13 14:56 ` Mimi Zohar
2012-02-13 15:02 ` Hannes Reinecke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120210181413.GA13111@tango.0pointer.de \
--to=mzerqung@0pointer.de \
--cc=harald@redhat.com \
--cc=initramfs@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=roberto.sassu@polito.it \
--cc=selinux@lists.fedoraproject.org \
--cc=systemd-devel@lists.freedesktop.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).