Debian Bug report logs - #543420
upstart: SELinux support

version graph

Package: upstart; Maintainer for upstart is Steve Langasek <vorlon@debian.org>; Source for upstart is src:upstart.

Reported by: Philipp Kern <pkern@debian.org>

Date: Mon, 24 Aug 2009 22:36:02 UTC

Severity: wishlist

Tags: patch

Merged with 545271

Found in versions 0.6.3, upstart/0.6.3-1

Fixed in version upstart/0.6.6-1

Done: Michael Biebl <biebl@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://bugs.launchpad.net/upstart/+bug/595774

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, pkern@debian.org, srivasta@debian.org, etbe@debian.org, Michael Biebl <biebl@debian.org>:
Bug#543420; Package upstart. (Mon, 24 Aug 2009 22:36:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Philipp Kern <pkern@debian.org>:
New Bug report received and forwarded. Copy sent to pkern@debian.org, srivasta@debian.org, etbe@debian.org, Michael Biebl <biebl@debian.org>. (Mon, 24 Aug 2009 22:36:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Philipp Kern <pkern@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: upstart: SELinux support
Date: Tue, 25 Aug 2009 00:27:30 +0200
[Message part 1 (text/plain, inline)]
Package: upstart
Version: 0.6.3-1
Severity: wishlist

I tried to use upstart with SELinux and it looks that some bits are missing to properly set it up.  Ubuntu includes them in a package called "selinux".

What we need are two files in /etc/initramfs-tools/scripts/init-bottom as attached.  I'm not sure if upstart is the right package for it but considering that it seems to work with normal inits and as it's mentioned in a related "upstart with SELinux" bug over at Launchpad it might be a sane workaround.

The only change I applied wrt the Ubuntu package is to change the path to load_policy from /sbin to /usr/sbin.  As the script in question chroots to the new root anyway this seems "somewhat" ok.  Of course that fails if /usr is a separate mount point, so in the long term that utility would need to be moved.

However, I've just started with SELinux so I cc'ed our two SELinux gurus on that.

(On a sidenote: Sadly there is something wrong in sid so that Xorg cannot communicate with hal/dbus after selinux is activated even in permissive mode (maybe they are set into some selinux mode?), so one loses keyboard and mouse.  One is getting to the point of a getty prompt, though, if gdm is deactivated.)

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.31-rc6-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages upstart depends on:
ii  initscripts                   2.87dsf-2  scripts for initializing and shutt
ii  libc6                         2.9-25     GNU C Library: Shared libraries
ii  libdbus-1-3                   1.2.16-2   simple interprocess messaging syst
ii  sysv-rc                       2.87dsf-2  System-V-like runlevel change mech
ii  sysvinit-utils                2.87dsf-2  System-V-like utilities

upstart recommends no packages.

upstart suggests no packages.

-- no debconf information
[_load_policy (text/x-shellscript, attachment)]
[_restorecon (text/x-shellscript, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Michael Biebl <biebl@debian.org>:
Bug#543420; Package upstart. (Mon, 24 Aug 2009 23:30:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to Michael Biebl <biebl@debian.org>. (Mon, 24 Aug 2009 23:30:06 GMT) Full text and rfc822 format available.

Message #10 received at 543420@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: 543420@bugs.debian.org
Subject: Red Hat and Ubuntu got it wrong
Date: Tue, 25 Aug 2009 09:20:04 +1000
[Message part 1 (text/plain, inline)]
http://etbe.coker.com.au/2008/07/24/se-linux-policy-loading/

I've described the issues related to init and SE Linux at the above URL.

I've attached a patch for upstart to make it load the policy, this patch was 
written over a year ago, so some minor changes may be required.  But 
basically the code is good.

In summary, the way SysVInit works is pretty good, it's been working well like 
that for many years - we should have a reason for doing things differently, 
and there is none.

The Red Hat idea of modifying the initramfs has the potential to make a system 
unbootable (you know for a fact that you have a working initramfs, you don't 
know that the next one you generate will work).

The Red Hat idea drops support for systems that don't have an initramfs, at 
best this limits the choices available to the sysadmin (they should be 
allowed to choose to compile a kernel without an initramfs and run it with SE 
Linux).  It also means dropping support for systems that don't support it, in 
the past there was quite a bit of hardware that didn't support booting with 
an initramfs.  Note that commercially available Xen virtual servers tend not 
to have an initramfs, so if we are ever to get Debian SE Linux support 
available at VPS hosting companies then we need to have init load the policy.

If the Red Hat idea is implemented in a consistent manner then it would 
require removing code from SysVInit.  Changing code that is working perfectly 
to support code with less features is a bad idea.

Making the initramfs bigger is a problem, it slows booting for tftp boot 
systems, it reduces space on the boot device, and there are situations where 
you may reach some hard limit of size.

The patch for /sbin/init is very small, it will take less disk space overall 
than the Red Hat idea.

There are lots of reasons for not following the Red Hat ideas on this issue.  
While you might debate some of them you will find a lack of compelling 
reasons for following Red Hat.


Philipp, thanks for your bug report.  I'm a bit short of time this week, I 
would appreciate if it you could do some tests with upstart compiled with 
this patch.  I will of course do all ongoing maintenance on this patch to 
keep it up to date.

Finally please note that while Unstable can't boot when running SysVInit in 
Enforcing mode due to policy bugs I will assign a lower priority to fixing 
Upstart than I might otherwise.
[diff (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Michael Biebl <biebl@debian.org>:
Bug#543420; Package upstart. (Tue, 25 Aug 2009 05:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Russell Coker <russell@coker.com.au>:
Extra info received and forwarded to list. Copy sent to Michael Biebl <biebl@debian.org>. (Tue, 25 Aug 2009 05:54:04 GMT) Full text and rfc822 format available.

Message #15 received at 543420@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Manoj Srivastava <srivasta@debian.org>, Philipp Kern <pkern@debian.org>
Cc: 543420@bugs.debian.org
Subject: Re: Bug#543420: upstart: SELinux support
Date: Tue, 25 Aug 2009 15:48:08 +1000
On Tuesday 25 August 2009 13:51:14 Manoj Srivastava wrote:
>         Suse actually copies the file over into the initramfs, instead
>  of moving the file from /usr/sbin to /sbin; since the only place this
>  is even marginally useful is before init has started; init loads
>  selinux policy dorectly without needing load_policy, and re-exec's
>  itself.
>
>         Given that it is  useful during very early biit before init is
>  stated, it would be good solution to add this file to the
>  initramfs. other wise even people not sing initrafs will have a larger
>  /

Actually it is not useful at all to do such things before init is started.

All processes that run before init have super-user access.  There is no benefit 
in confining them.

init is quite good at loading the policy.  We only need to load it 
automatically in one place.  init is about initialising the system, this 
includes loading the policy.

The smallest possible size of the root filesystem will be achieved if init is 
the only code on it that loads policy.  Having several copies of load_policy 
in the various initramfs files (backup files, files for Xen and non-Xen kernels, 
and for different kernel versions) takes more space on /boot (which is often 
the root filesystem).

We have had init loading the policy for years, there is no problem with this.  
There is no need for a change.




Information forwarded to debian-bugs-dist@lists.debian.org, Michael Biebl <biebl@debian.org>:
Bug#543420; Package upstart. (Tue, 25 Aug 2009 09:03:06 GMT) Full text and rfc822 format available.

Message #18 received at 543420@bugs.debian.org (full text, mbox):

From: Philipp Kern <pkern@debian.org>
To: Russell Coker <russell@coker.com.au>
Cc: Manoj Srivastava <srivasta@debian.org>, Philipp Kern <pkern@debian.org>, 543420@bugs.debian.org
Subject: Re: Bug#543420: upstart: SELinux support
Date: Tue, 25 Aug 2009 10:40:15 +0200
[Message part 1 (text/plain, inline)]
Russell,

am Tue, Aug 25, 2009 at 03:48:08PM +1000 hast du folgendes geschrieben:
> We have had init loading the policy for years, there is no problem with this.  
> There is no need for a change.

the problem is that upstart does not do this and that's what this bug report
is about.  upstart provides its own /sbin/init.

Somehow upstream decided that it's not necessary to implement this and came
up with the initramfs solution.

Kind regards,
Philipp Kern
-- 
 .''`.  Philipp Kern                        Debian Developer
: :' :  http://philkern.de                         Stable Release Manager
`. `'   xmpp:phil@0x539.de                         Wanna-Build Admin
  `-    finger pkern/key@db.debian.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Michael Biebl <biebl@debian.org>:
Bug#543420; Package upstart. (Tue, 25 Aug 2009 10:39:16 GMT) Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to Michael Biebl <biebl@debian.org>. (Tue, 25 Aug 2009 10:39:19 GMT) Full text and rfc822 format available.

Message #23 received at 543420@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Philipp Kern <pkern@debian.org>
Cc: Manoj Srivastava <srivasta@debian.org>, 543420@bugs.debian.org
Subject: Re: Bug#543420: upstart: SELinux support
Date: Tue, 25 Aug 2009 20:03:27 +1000
On Tue, 25 Aug 2009, Philipp Kern <pkern@debian.org> wrote:
> am Tue, Aug 25, 2009 at 03:48:08PM +1000 hast du folgendes geschrieben:
> > We have had init loading the policy for years, there is no problem with
> > this. There is no need for a change.
>
> the problem is that upstart does not do this and that's what this bug
> report is about.  upstart provides its own /sbin/init.

Sure, SysVInit provides /sbin/init and we patched it.  We can do the same for 
Upstart and we don't need any more upstream cooperation than we received from 
the SysVInit people.

> Somehow upstream decided that it's not necessary to implement this and came
> up with the initramfs solution.

Sure, and like all bad decisions by upstream developers we can ignore it and 
solve the problem the right way.

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#543420; Package upstart. (Tue, 25 Aug 2009 12:15:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Biebl <biebl@debian.org>:
Extra info received and forwarded to list. (Tue, 25 Aug 2009 12:15:05 GMT) Full text and rfc822 format available.

Message #28 received at 543420@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@debian.org>
To: Russell Coker <russell@coker.com.au>, 543420@bugs.debian.org
Cc: Manoj Srivastava <srivasta@debian.org>, Philipp Kern <pkern@debian.org>
Subject: Re: Bug#543420: upstart: SELinux support
Date: Tue, 25 Aug 2009 14:07:50 +0200
[Message part 1 (text/plain, inline)]
Russell Coker wrote:
> On Tuesday 25 August 2009 13:51:14 Manoj Srivastava wrote:
>>         Suse actually copies the file over into the initramfs, instead
>>  of moving the file from /usr/sbin to /sbin; since the only place this
>>  is even marginally useful is before init has started; init loads
>>  selinux policy dorectly without needing load_policy, and re-exec's
>>  itself.
>>
>>         Given that it is  useful during very early biit before init is
>>  stated, it would be good solution to add this file to the
>>  initramfs. other wise even people not sing initrafs will have a larger
>>  /
> 
> Actually it is not useful at all to do such things before init is started.
> 
> All processes that run before init have super-user access.  There is no benefit 
> in confining them.
> 
> init is quite good at loading the policy.  We only need to load it 
> automatically in one place.  init is about initialising the system, this 
> includes loading the policy.
> 
> The smallest possible size of the root filesystem will be achieved if init is 
> the only code on it that loads policy.  Having several copies of load_policy 
> in the various initramfs files (backup files, files for Xen and non-Xen kernels, 
> and for different kernel versions) takes more space on /boot (which is often 
> the root filesystem).
> 
> We have had init loading the policy for years, there is no problem with this.  
> There is no need for a change.

Hi everyone,

first of all, thanks for the patches and interest you've shown so far.

As maintainer of upstart I currently prefer the initramfs solution given the
following arguments:

- selinux is only used a by very low percentage of our users
- linking against selinux means the list of dependencies increases, which
increases the potential for failures. I try to keep the dependencies as minimal
as possible.
- the package will be entangled in libselinux testing transitions (libselinux
seems to bump shlibs very regularly)
- I don't see a good reason to patch each and every /sbin/init if we can just
add support in one place, i.e. the initramfs
- I would include the selinux initramfs bits in one of the selinux packages, so
people not using selinux won't get the additional bloat. Btw, it would be good
to have hard numbers, by what size the initramfs increases. I don't use selinux,
so I can't tell.
- upstream selinux and upstart maintainers seem to prefer the initramfs
solution. Without compelling arguments I won't divert from that decision.
- given that upstream is not going to include the selinux patch in upstart (as
it currently stand), I'd have to carry the patch forever. Not something I'm very
fond of.

Cheers,
Michael
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Michael Biebl <biebl@debian.org>:
Bug#543420; Package upstart. (Tue, 25 Aug 2009 17:12:16 GMT) Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to Michael Biebl <biebl@debian.org>. (Tue, 25 Aug 2009 17:12:16 GMT) Full text and rfc822 format available.

Message #33 received at 543420@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Michael Biebl <biebl@debian.org>
Cc: 543420@bugs.debian.org, Manoj Srivastava <srivasta@debian.org>, Philipp Kern <pkern@debian.org>
Subject: Re: Bug#543420: upstart: SELinux support
Date: Wed, 26 Aug 2009 03:01:43 +1000
On Tue, 25 Aug 2009, Michael Biebl <biebl@debian.org> wrote:
> first of all, thanks for the patches and interest you've shown so far.
>
> As maintainer of upstart I currently prefer the initramfs solution given
> the following arguments:
>
> - selinux is only used a by very low percentage of our users

As is Upstart, as is having /usr as a separate filesystem.

> - linking against selinux means the list of dependencies increases, which
> increases the potential for failures. I try to keep the dependencies as
> minimal as possible.

Can you cite any examples of failures in SysVInit from this?  Note that 
SysVInit has been compiled this way for a long time and is much more popular 
than Upstart.

> - the package will be entangled in libselinux testing transitions
> (libselinux seems to bump shlibs very regularly)

Has this caused problems for SysVInit?

> - I don't see a good reason to patch each and every /sbin/init if we can
> just add support in one place, i.e. the initramfs

We will have two /sbin/init programs available in Lenny.  We have patches for 
both of them.

As I noted previously your plan involves breaking support for systems without 
an initramfs.  You have not yet provided a good reason for ceasing such 
support.

> - I would include the selinux initramfs bits in one of the selinux
> packages, so people not using selinux won't get the additional bloat.

As /bin/ls is linked against libselinux every user will have it installed.

If you are worried about "additional bloat" then you will want to not require 
load_policy to be in the root filesystem and allow it to be in /usr (it's 
current location).  This means not changing the way the initramfs works.

> Btw, 
> it would be good to have hard numbers, by what size the initramfs
> increases. I don't use selinux, so I can't tell.

Why don't you just build an initramfs in the manner you advocate?  You don't 
need to use SE Linux to build the initramfs.

> - upstream selinux and upstart maintainers seem to prefer the initramfs
> solution.

I'm one of the upstream SE Linux developers.  Any claim that there is 
agreement among upstream developers on this issue is false.

> Without compelling arguments I won't divert from that decision. 
> - given that upstream is not going to include the selinux patch in upstart
> (as it currently stand), I'd have to carry the patch forever. Not something
> I'm very fond of.

What if we have an upstart-selinux package that provides /sbin/init which 
loads policy?  I can maintain that as an alternative to the main upstart 
package.

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog




Information forwarded to debian-bugs-dist@lists.debian.org, Michael Biebl <biebl@debian.org>:
Bug#543420; Package upstart. (Tue, 25 Aug 2009 21:24:46 GMT) Full text and rfc822 format available.

Acknowledgement sent to Manoj Srivastava <srivasta@debian.org>:
Extra info received and forwarded to list. Copy sent to Michael Biebl <biebl@debian.org>. (Tue, 25 Aug 2009 21:24:46 GMT) Full text and rfc822 format available.

Message #38 received at 543420@bugs.debian.org (full text, mbox):

From: Manoj Srivastava <srivasta@debian.org>
To: Philipp Kern <pkern@debian.org>
Cc: Russell Coker <russell@coker.com.au>, 543420@bugs.debian.org
Subject: Re: Bug#543420: upstart: SELinux support
Date: Tue, 25 Aug 2009 14:01:41 -0500
On Tue, Aug 25 2009, Philipp Kern wrote:

> Russell,
>
> am Tue, Aug 25, 2009 at 03:48:08PM +1000 hast du folgendes geschrieben:
>> We have had init loading the policy for years, there is no problem
>> with this.  There is no need for a change.
>
> the problem is that upstart does not do this and that's what this bug report
> is about.  upstart provides its own /sbin/init.

        OK. We can get it patched.

> Somehow upstream decided that it's not necessary to implement this and came
> up with the initramfs solution.

        Which is inferior, in that it does not use the shared library
 and will have multiple varsions of the sources around in initramfs, or
 not be able to run the script because it is on /usr, commonly on other
 partitions.

        manoj
-- 
Hate is like acid.  It can damage the vessel in which it is stored as
well as destroy the object on which it is poured.
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C




Information forwarded to debian-bugs-dist@lists.debian.org, Michael Biebl <biebl@debian.org>:
Bug#543420; Package upstart. (Tue, 25 Aug 2009 21:30:13 GMT) Full text and rfc822 format available.

Acknowledgement sent to Manoj Srivastava <srivasta@debian.org>:
Extra info received and forwarded to list. Copy sent to Michael Biebl <biebl@debian.org>. (Tue, 25 Aug 2009 21:30:13 GMT) Full text and rfc822 format available.

Message #43 received at 543420@bugs.debian.org (full text, mbox):

From: Manoj Srivastava <srivasta@debian.org>
To: Michael Biebl <biebl@debian.org>
Cc: Russell Coker <russell@coker.com.au>, 543420@bugs.debian.org, Philipp Kern <pkern@debian.org>
Subject: Re: Bug#543420: upstart: SELinux support
Date: Tue, 25 Aug 2009 14:08:09 -0500
On Tue, Aug 25 2009, Michael Biebl wrote:


> first of all, thanks for the patches and interest you've shown so far.

> As maintainer of upstart I currently prefer the initramfs solution given the
> following arguments:

> - selinux is only used a by very low percentage of our users

        But it is enabled in vompiled in by default in mainstrean
 Debian, and if upstart wants to get into Debian, perhaps it should
 follow Debian conventions
> - linking against selinux means the list of dependencies increases, which
> increases the potential for failures. I try to keep the dependencies
> as minimal as possible.

        Adding a dependency on an initramfs is then a fail. None of my
 non-laptop machines use an initramfs, and so upstart can't be used
 without adding restrictions that DXebian has so far not added to  the
 install.

> - the package will be entangled in libselinux testing transitions (libselinux
>   seems to bump shlibs very regularly)

        I do not think you understand the difference between an SONAME
 change (API changes) and a shlibs bump (ABI change). Your package will
 noit have to be recompiled or re-uploaded because of a shlibs
 change. No transition here.

        Indeed, thre has not been a libselinux transition since forever.

> - I don't see a good reason to patch each and every /sbin/init if we
>   can just add support in one place, i.e. the initramfs

        Because initramfs is not unoversal, and should not be made a
 requirement to run Debian.

> - I would include the selinux initramfs bits in one of the selinux
>   packages, so people not using selinux won't get the additional
>   bloat. Btw, it would be good to have hard numbers, by what size the
>   initramfs increases. I don't use selinux, so I can't tell.

        

> - upstream selinux and upstart maintainers seem to prefer the
>   initramfs solution. Without compelling arguments I won't divert from
>   that decision. 

        Upstream SELinux people have said no such thing. Indeed,
 upstream init has SELinux patches in mainline now.


> -  given that upstream is not going to include the selinux patch in
>    upstart (as it currently stand), I'd have to carry the patch
>    forever. Not something I'm very fond of.

        It is not a big patch, and has not had many issues in init
 before it went mainstream.

        manoj
-- 
A 'full' life in my experience is usually full only of other people's
demands.
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#543420; Package upstart. (Tue, 25 Aug 2009 21:42:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Biebl <biebl@debian.org>:
Extra info received and forwarded to list. (Tue, 25 Aug 2009 21:42:04 GMT) Full text and rfc822 format available.

Message #48 received at 543420@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@debian.org>
To: Manoj Srivastava <srivasta@debian.org>, 543420@bugs.debian.org
Cc: Russell Coker <russell@coker.com.au>, Philipp Kern <pkern@debian.org>
Subject: Re: Bug#543420: upstart: SELinux support
Date: Tue, 25 Aug 2009 23:41:06 +0200
[Message part 1 (text/plain, inline)]
Manoj Srivastava wrote:
> On Tue, Aug 25 2009, Michael Biebl wrote:
> 
> 
>> first of all, thanks for the patches and interest you've shown so far.
> 
>> As maintainer of upstart I currently prefer the initramfs solution given the
>> following arguments:
> 
>> - selinux is only used a by very low percentage of our users
> 
>         But it is enabled in vompiled in by default in mainstrean
>  Debian, and if upstart wants to get into Debian, perhaps it should
>  follow Debian conventions

upstart is already in Debian, fwiw.
What we are talking about here, is how to add support for running /sbin/init
under selinux.

There is no such thing as a "Debian convention" that this has to be done by
patching init.

>> - linking against selinux means the list of dependencies increases, which
>> increases the potential for failures. I try to keep the dependencies
>> as minimal as possible.
> 
>         Adding a dependency on an initramfs is then a fail. None of my
>  non-laptop machines use an initramfs, and so upstart can't be used

Upstart can very well be used without an initramfs.


>> - the package will be entangled in libselinux testing transitions (libselinux
>>   seems to bump shlibs very regularly)
> 
>         I do not think you understand the difference between an SONAME
>  change (API changes) and a shlibs bump (ABI change). Your package will
>  noit have to be recompiled or re-uploaded because of a shlibs
>  change. No transition here.
> 
>         Indeed, thre has not been a libselinux transition since forever.

Manoj, I really don't like this way you present your arguments here. See my PM
about that.

FWIW, I perfectly know what I'm talking about.

>> - I don't see a good reason to patch each and every /sbin/init if we
>>   can just add support in one place, i.e. the initramfs
> 
>         Because initramfs is not unoversal, and should not be made a
>  requirement to run Debian.

Well, what you ask me about, is to make libselinux a requirement and enforce
that to upstart. See?
What I try to explore is if there are better alternatives, and the initramfs
solution looks like a simpler and easier to maintain solution to me.


>> - I would include the selinux initramfs bits in one of the selinux
>>   packages, so people not using selinux won't get the additional
>>   bloat. Btw, it would be good to have hard numbers, by what size the
>>   initramfs increases. I don't use selinux, so I can't tell.
> 
>         
> 
>> - upstream selinux and upstart maintainers seem to prefer the
>>   initramfs solution. Without compelling arguments I won't divert from
>>   that decision. 
> 
>         Upstream SELinux people have said no such thing. Indeed,
>  upstream init has SELinux patches in mainline now.

No, upstream init has no selinux support. You are wrong here.

> 
>> -  given that upstream is not going to include the selinux patch in
>>    upstart (as it currently stand), I'd have to carry the patch
>>    forever. Not something I'm very fond of.
> 
>         It is not a big patch, and has not had many issues in init
>  before it went mainstream.

An upstart selinux patch has never went upstream.


Cheers,
Michael

P.S: Manoj, I know your kind of argumentation style, so I'll just stop here,
because I don't want to engage into endless, pointless discussions.

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Michael Biebl <biebl@debian.org>:
Bug#543420; Package upstart. (Tue, 25 Aug 2009 22:03:16 GMT) Full text and rfc822 format available.

Acknowledgement sent to Russell Coker <russell@coker.com.au>:
Extra info received and forwarded to list. Copy sent to Michael Biebl <biebl@debian.org>. (Tue, 25 Aug 2009 22:03:16 GMT) Full text and rfc822 format available.

Message #53 received at 543420@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Manoj Srivastava <srivasta@debian.org>
Cc: Michael Biebl <biebl@debian.org>, 543420@bugs.debian.org, Philipp Kern <pkern@debian.org>
Subject: Re: Bug#543420: upstart: SELinux support
Date: Wed, 26 Aug 2009 08:01:49 +1000
On Wednesday 26 August 2009 05:08:09 Manoj Srivastava wrote:
> > - selinux is only used a by very low percentage of our users
>
>         But it is enabled in vompiled in by default in mainstrean
>  Debian, and if upstart wants to get into Debian, perhaps it should
>  follow Debian conventions

Of course another option is to have SE Linux packages depend on sysvinit.

Another possibility is to have a shell script wrapper for /sbin/init which 
loads the policy and runs the real init.  I've implemented this before, but 
the consensus of opinion was that a patch to the code was a better option.

> > - linking against selinux means the list of dependencies increases, which
> > increases the potential for failures. I try to keep the dependencies
> > as minimal as possible.
>
>         Adding a dependency on an initramfs is then a fail. None of my
>  non-laptop machines use an initramfs, and so upstart can't be used
>  without adding restrictions that DXebian has so far not added to  the
>  install.

Also it should be noted that using nash to do this in Fedora uses less 
resources than adding extra scripts that are conditionally included.

> > - I don't see a good reason to patch each and every /sbin/init if we
> >   can just add support in one place, i.e. the initramfs

Let's not get stuck on this "each and every" thing.  The correct term is 
"both", and we have patches for both of them.




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#543420; Package upstart. (Tue, 25 Aug 2009 22:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Biebl <biebl@debian.org>:
Extra info received and forwarded to list. (Tue, 25 Aug 2009 22:27:03 GMT) Full text and rfc822 format available.

Message #58 received at 543420@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@debian.org>
To: Russell Coker <russell@coker.com.au>, 543420@bugs.debian.org
Subject: Re: Bug#543420: upstart: SELinux support
Date: Wed, 26 Aug 2009 00:18:38 +0200
[Message part 1 (text/plain, inline)]
Russell Coker wrote:

> 
>>> - I don't see a good reason to patch each and every /sbin/init if we
>>>   can just add support in one place, i.e. the initramfs
> 
> Let's not get stuck on this "each and every" thing.  The correct term is 
> "both", and we have patches for both of them.

Well, ttbomk there are currently 4: minit, runit-run, upstart and sysvinit.

Cheers,
Michael

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Michael Biebl <biebl@debian.org>:
Bug#543420; Package upstart. (Tue, 25 Aug 2009 22:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Manoj Srivastava <srivasta@debian.org>:
Extra info received and forwarded to list. Copy sent to Michael Biebl <biebl@debian.org>. (Tue, 25 Aug 2009 22:33:03 GMT) Full text and rfc822 format available.

Message #63 received at 543420@bugs.debian.org (full text, mbox):

From: Manoj Srivastava <srivasta@debian.org>
To: Michael Biebl <biebl@debian.org>
Cc: 543420@bugs.debian.org, Russell Coker <russell@coker.com.au>, Philipp Kern <pkern@debian.org>
Subject: Re: Bug#543420: upstart: SELinux support
Date: Tue, 25 Aug 2009 15:10:01 -0500
On Tue, Aug 25 2009, Michael Biebl wrote:

> Manoj Srivastava wrote:
>> On Tue, Aug 25 2009, Michael Biebl wrote:
>> 
>> 
>>> first of all, thanks for the patches and interest you've shown so far.
>> 
>>> As maintainer of upstart I currently prefer the initramfs solution given the
>>> following arguments:
>> 
>>> - selinux is only used a by very low percentage of our users
>> 
>>         But it is enabled in vompiled in by default in mainstrean
>>  Debian, and if upstart wants to get into Debian, perhaps it should
>>  follow Debian conventions
>
> upstart is already in Debian, fwiw.  What we are talking about here,
> is how to add support for running /sbin/innder selinux.

        /sbin/init from the more popular package syvinit has a small
 patch that gives it this functionality, and doe s not depend on the
 user running initramfs, which many do not.[ge]

>
> There is no such thing as a "Debian convention" that this has to be done by
> patching init.

        So, find a solution that does not require mandating initramfs,
 and I'll be happy to lend a hand.

>>> - linking against selinux means the list of dependencies increases, which
>>> increases the potential for failures. I try to keep the dependencies
>>> as minimal as possible.
>> 
>>         Adding a dependency on an initramfs is then a fail. None of my
>>  non-laptop machines use an initramfs, and so upstart can't be used

> Upstart can very well be used without an initramfs.

        Good. Now if you can demonstrate how it can also support
 SELinux, as the rest of Debian core insfrastructure does, while keeping
 it so, we will h

>>> - I don't see a good reason to patch each and every /sbin/init if we
>>>   can just add support in one place, i.e. the initramfs
>> 
>>         Because initramfs is not unoversal, and should not be made a
>>  requirement to run Debian.
>
> Well, what you ask me about, is to make libselinux a requirement and
> enforce that to upstart. See?  What I try to explore is if there are
> better alternatives, and the initramfs solution looks like a simpler
> and easier to maintain solution to me.

        Well, libselinux is linked into sysvinit, dpkg, coreutils, and
 is in the upstream of findutils. It will exist on every Debian
 installation, and is likely to be loaded into the memory as
 well. Sounds like not a very onerous requirement to me.
>>         Upstream SELinux people have said no such thing. Indeed,
>>  upstream init has SELinux patches in mainline now.
>
> No, upstream init has no selinux support. You are wrong here.

sysvinit (2.87dsf-1) unstable; urgency=low
  * New upstream release.
    - Drop patch 40_selinux now included upstream.
 -- Petter Reinholdtsen <pere@debian.org>  Sat, 25 Jul 2009 16:44:55 +0200


        Care to look again?

>> 
>>> -  given that upstream is not going to include the selinux patch in
>>>    upstart (as it currently stand), I'd have to carry the patch
>>>    forever. Not something I'm very fond of.
>> 
>>         It is not a big patch, and has not had many issues in init
>>  before it went mainstream.

> An upstart selinux patch has never went upstream.


        Did I say upstart? I said init, and I meant system V init from
 UNIX, in Linux as sysvinit. SELinux patcxh applied in 2005, included in
 upstream in 2009.

        So, four years with no issues as a patch in Debian, and now in
 upstream sysvinit.  Not sure this is an issue, really.

> P.S: Manoj, I know your kind of argumentation style, so I'll just stop here,
> because I don't want to engage into endless, pointless discussions.

        What, you scared of fact based arguments?

        manoj
-- 
Murphy's Law is recursive.  Washing your car to make it rain doesn't
work.
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C




Information forwarded to debian-bugs-dist@lists.debian.org, Michael Biebl <biebl@debian.org>:
Bug#543420; Package upstart. (Wed, 26 Aug 2009 06:42:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to Michael Biebl <biebl@debian.org>. (Wed, 26 Aug 2009 06:42:02 GMT) Full text and rfc822 format available.

Message #68 received at 543420@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Michael Biebl <biebl@debian.org>
Cc: 543420@bugs.debian.org
Subject: Re: Bug#543420: upstart: SELinux support
Date: Wed, 26 Aug 2009 16:33:55 +1000
On Wed, 26 Aug 2009, Michael Biebl <biebl@debian.org> wrote:
> Well, ttbomk there are currently 4: minit, runit-run, upstart and sysvinit.

From the minit description in unstable:
# This package is experimental and not easy to install and use.

But even so I'm happy to write a patch for it even if hardly anyone will use 
it.

What is the status of runit-run?  I can write a patch for it too.

But really only sysvinit and upstart are going to get any significant number 
of people using them.

Your argument seems to be based on the assumption that it's difficult for me 
to write patches for 2 or 3 init systems (it's not, I implemented more than 3 
experimental methods for loading the policy before we decided on patching 
sysvinit), that it's difficult for the other init maintainers (the sysvinit 
people never had any trouble, why assume that minit or runit-run will be 
different), or that there will be some explosion in the number of init 
systems (which really seems unlikely).

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog




Information forwarded to debian-bugs-dist@lists.debian.org, Michael Biebl <biebl@debian.org>:
Bug#543420; Package upstart. (Wed, 26 Aug 2009 21:36:13 GMT) Full text and rfc822 format available.

Message #71 received at 543420@bugs.debian.org (full text, mbox):

From: Philipp Kern <pkern@debian.org>
To: Michael Biebl <biebl@debian.org>
Cc: Russell Coker <russell@coker.com.au>, 543420@bugs.debian.org, Manoj Srivastava <srivasta@debian.org>, Philipp Kern <pkern@debian.org>
Subject: Re: Bug#543420: upstart: SELinux support
Date: Wed, 26 Aug 2009 23:25:43 +0200
[Message part 1 (text/plain, inline)]
On Tue, Aug 25, 2009 at 02:07:50PM +0200, Michael Biebl wrote:
> - I would include the selinux initramfs bits in one of the selinux packages, so
> people not using selinux won't get the additional bloat. Btw, it would be good
> to have hard numbers, by what size the initramfs increases. I don't use selinux,
> so I can't tell.

libselinux.so.1 is already included in the initramfs.  However looking
at load_policy's NEEDED list I also get libsepol.so.1.  load_policy itself
is only 7k, which is ignoreable, but libsepol.so.1 is huge with its 241k.
I suppose that it's needed to actually parse policy?

Philipp Kern
-- 
 .''`.  Philipp Kern                        Debian Developer
: :' :  http://philkern.de                         Stable Release Manager
`. `'   xmpp:phil@0x539.de                         Wanna-Build Admin
  `-    finger pkern/key@db.debian.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Michael Biebl <biebl@debian.org>:
Bug#543420; Package upstart. (Wed, 26 Aug 2009 23:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to Michael Biebl <biebl@debian.org>. (Wed, 26 Aug 2009 23:36:03 GMT) Full text and rfc822 format available.

Message #76 received at 543420@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Philipp Kern <pkern@debian.org>
Cc: Michael Biebl <biebl@debian.org>, 543420@bugs.debian.org, Manoj Srivastava <srivasta@debian.org>
Subject: Re: Bug#543420: upstart: SELinux support
Date: Thu, 27 Aug 2009 09:27:35 +1000
On Thu, 27 Aug 2009, Philipp Kern <pkern@debian.org> wrote:
> libselinux.so.1 is already included in the initramfs.

That is for /lib/libdevmapper.so.1.02.1 which is used by lvm and cryptsetup.

There is no benefit in having a libdevmapper linked with SE Linux support in 
the initramfs.  Ideally we would have an alternate version of the library 
with no SE Linux support for use in the initramfs.  Another possibility might 
be to have the libdevmapper use dlopen() to access libselinux and have code 
to just issue a warning if the library doesn't exist.

Some time ago I did some work on this, but I didn't get a good solution 
developed.

But that said, I think that the aim of the people who are pushing this idea is 
not to have load_policy in the initramfs but to have the initramfs run the 
version from the root filesystem.

http://en.wikipedia.org/wiki/Initrd

The documentation of the initrd indicates that it's purpose is to mount the 
root filesystem in preparation for running init.  Externalising work that 
could be done in later stages of the boot process was never the aim of the 
initrd.

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog




Information forwarded to debian-bugs-dist@lists.debian.org, Michael Biebl <biebl@debian.org>:
Bug#543420; Package upstart. (Thu, 27 Aug 2009 10:48:31 GMT) Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to Michael Biebl <biebl@debian.org>. (Thu, 27 Aug 2009 10:48:42 GMT) Full text and rfc822 format available.

Message #81 received at 543420@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Michael Biebl <biebl@debian.org>
Cc: 543420@bugs.debian.org
Subject: Re: Bug#543420: upstart: SELinux support
Date: Thu, 27 Aug 2009 20:37:47 +1000
On Wed, 26 Aug 2009, Russell Coker <russell@coker.com.au> wrote:
> On Wed, 26 Aug 2009, Michael Biebl <biebl@debian.org> wrote:
> > Well, ttbomk there are currently 4: minit, runit-run, upstart and
> > sysvinit.
>
> From the minit description in unstable:
> # This package is experimental and not easy to install and use.

I've just looked at the source.  minit used dietlibc, it is apparently not 
designed for full-featured systems, and it doesn't even provide /sbin/init 
(you have to use init=/sbin/minit to use it).

So we are down to three init packages now.

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog




Information forwarded to debian-bugs-dist@lists.debian.org, Michael Biebl <biebl@debian.org>:
Bug#543420; Package upstart. (Thu, 27 Aug 2009 11:15:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to Michael Biebl <biebl@debian.org>. (Thu, 27 Aug 2009 11:15:11 GMT) Full text and rfc822 format available.

Message #86 received at 543420@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Michael Biebl <biebl@debian.org>
Cc: 543420@bugs.debian.org
Subject: Re: Bug#543420: upstart: SELinux support
Date: Thu, 27 Aug 2009 21:07:15 +1000
On Thu, 27 Aug 2009, Russell Coker <russell@coker.com.au> wrote:
> On Wed, 26 Aug 2009, Russell Coker <russell@coker.com.au> wrote:
> > On Wed, 26 Aug 2009, Michael Biebl <biebl@debian.org> wrote:
> > > Well, ttbomk there are currently 4: minit, runit-run, upstart and
> > > sysvinit.
> >
> > From the minit description in unstable:
> > # This package is experimental and not easy to install and use.
>
> I've just looked at the source.  minit used dietlibc, it is apparently not
> designed for full-featured systems, and it doesn't even provide /sbin/init
> (you have to use init=/sbin/minit to use it).
>
> So we are down to three init packages now.

Starting portmap daemon....
Starting NFS common utilities: statd.
Cleaning up temporary files....
Setting console screen modes and fonts.
- runit: leave stage: /etc/runit/1
- runit: enter stage: /etc/runit/2

I have just tested runit-run.  When I boot with it the boot process ends with 
the above on the console (and with sshd and getty not running).  It also has 
a serious bug against it which is a duplicate of bug #408280 from 2007 - 
which has not even had a comment from the maintainer.

One of the main features of minit seems to be the use of dietlibc.  It seems 
likely that there will be few people who find that they can't afford the 1.4M 
of disk space for glibc (on AMD64 architecture) but who can afford the disk 
space for SE Linux.

I think it's reasonable to use the word "both" when referring to init systems 
that are viable for fully configured systems running SE Linux.


PS  Does SUSE use the same initrd as Red Hat?  If not then there are more 
initrd's in common use than there are init's...

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog




Information forwarded to debian-bugs-dist@lists.debian.org, Michael Biebl <biebl@debian.org>:
Bug#543420; Package upstart. (Fri, 28 Aug 2009 14:48:17 GMT) Full text and rfc822 format available.

Acknowledgement sent to Manoj Srivastava <srivasta@debian.org>:
Extra info received and forwarded to list. Copy sent to Michael Biebl <biebl@debian.org>. (Fri, 28 Aug 2009 14:48:17 GMT) Full text and rfc822 format available.

Message #91 received at 543420@bugs.debian.org (full text, mbox):

From: Manoj Srivastava <srivasta@debian.org>
To: Philipp Kern <pkern@debian.org>
Cc: Michael Biebl <biebl@debian.org>, Russell Coker <russell@coker.com.au>, 543420@bugs.debian.org
Subject: Re: Bug#543420: upstart: SELinux support
Date: Fri, 28 Aug 2009 09:15:52 -0500
On Wed, Aug 26 2009, Philipp Kern wrote:

> On Tue, Aug 25, 2009 at 02:07:50PM +0200, Michael Biebl wrote:
>> - I would include the selinux initramfs bits in one of the selinux packages, so
>> people not using selinux won't get the additional bloat. Btw, it would be good
>> to have hard numbers, by what size the initramfs increases. I don't use selinux,
>> so I can't tell.
>
> libselinux.so.1 is already included in the initramfs.  However looking
> at load_policy's NEEDED list I also get libsepol.so.1.  load_policy itself
> is only 7k, which is ignoreable, but libsepol.so.1 is huge with its 241k.
> I suppose that it's needed to actually parse policy?

        Yes. From the long description of libsepol1:
--8<---------------cut here---------------start------------->8---
 libsepol provides an API for the manipulation of SELinux binary
 policies.  It is used by checkpolicy (the policy compiler) and similar
 tools, as well as by programs like load_policy that need to perform
 specific transformations on binary policies such as customizing policy
 boolean settings.
--8<---------------cut here---------------end--------------->8---

        manoj
-- 
Why not go out on a limb?  Isn't that where the fruit is?
Manoj Srivastava <srivasta@debian.org> <http://www.debian.org/~srivasta/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C




Forcibly Merged 543420 545271. Request was from Michael Biebl <biebl@debian.org> to control@bugs.debian.org. (Sun, 06 Sep 2009 10:09:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Michael Biebl <biebl@debian.org>:
Bug#543420; Package upstart. (Thu, 10 Sep 2009 18:15:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Manoj Srivastava <srivasta@golden-gryphon.com>:
Extra info received and forwarded to list. Copy sent to Michael Biebl <biebl@debian.org>. (Thu, 10 Sep 2009 18:15:07 GMT) Full text and rfc822 format available.

Message #98 received at 543420@bugs.debian.org (full text, mbox):

From: Manoj Srivastava <srivasta@golden-gryphon.com>
To: selinux@tycho.nsa.gov
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [PATCH] Add functionality to upstart to load policy early in boot
Date: Thu, 10 Sep 2009 13:03:34 -0500
On Tue, Sep 08 2009, Stephen Smalley wrote:

> On Tue, 2009-09-08 at 13:26 -0400, Stephen Smalley wrote:
>> On Mon, 2009-09-07 at 09:16 -0500, Manoj Srivastava wrote:
>> > From: Manoj Srivastava <srivasta@debian.org>
>> > 
>> > 
>> >          As has been reported, Debian is planning on moving to upstart
>> >  for the next release. Debian does not require a system to have an
>> >  initramfs (custom kernels which do not need initramfs and/or modules
>> >  are supported), so it is desirable to have /sbin/init load policy early
>> >  in the boot process, and sysvinit has already been patched like this.
>> >  I am sending this in for comment and review.
>> > 
>> > This patch is applied conditionally, and unless WITH_SELINUX is defined
>> > when make is called (that is, at compile time), it does nothing. If
>> > WITH_SELINUX is set to 'yes' at compile time, this patch, analogous to
>> > that in sysvinit, checks early to see if SELinux is enabled on the
>> > machine, and then tries to load policy, If loading policy fails,and if
>> > SELinux is in enforcing mode, it prevents startup.
>> > 
>> > If the machine does not have selinux enabled at run time, nothing
>> > happens.
>> 
>> Looks like you followed the sysvinit selinux patch except that you added
>> a test of is_selinux_enabled() that ensures that upstart will not try to
>> load policy a second time if it was already loaded (e.g. by the
>> initramfs).  So it looks good to me.  Not sure about the best way to
>> report errors from upstart - you might look to see if there is a better
>> interface than just fprintf(stderr...) that would be suitable to ensure
>> that the user actually sees that message.
>
> Wondering whether you actually need the putenv() and getenv() calls -
> that was the old way of ensuring that we didn't try to load policy twice
> when we re-exec init.  But if we're now testing is_selinux_enabled() to
> detect whether it was already loaded by initramfs, that may suffice (not
> entirely sure - it depends on whether we have /proc mounted).

        I thought about that. I am not sure about this, and the overhead
 seems low (one putenv/getenv set of calls), so I decided to err on the
 side of caution. (I don't actually use upstart yet, since the support
 for sysvinit style init scripts is not in place in Debian so far, so I
 have only tried it in toy virtual machines).

        manoj
-- 
Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#543420; Package upstart. (Fri, 11 Sep 2009 16:09:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Biebl <biebl@debian.org>:
Extra info received and forwarded to list. (Fri, 11 Sep 2009 16:09:07 GMT) Full text and rfc822 format available.

Message #103 received at 543420@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@debian.org>
To: russell@coker.com.au, 543420@bugs.debian.org
Subject: Re: Bug#543420: upstart: SELinux support
Date: Fri, 11 Sep 2009 18:04:54 +0200
[Message part 1 (text/plain, inline)]
Russell Coker wrote:

> 
> Philipp, thanks for your bug report.  I'm a bit short of time this week, I 
> would appreciate if it you could do some tests with upstart compiled with 
> this patch.  I will of course do all ongoing maintenance on this patch to 
> keep it up to date.
>

Regarding this patch: Is there a reason why init needs to be linked against
libsepol? From what I can see in the diff, it only uses functions from libselinux.

Cheers,
Michael
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Michael Biebl <biebl@debian.org>:
Bug#543420; Package upstart. (Fri, 18 Sep 2009 15:03:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stephen Smalley <sds@tycho.nsa.gov>:
Extra info received and forwarded to list. Copy sent to Michael Biebl <biebl@debian.org>. (Fri, 18 Sep 2009 15:03:07 GMT) Full text and rfc822 format available.

Message #108 received at 543420@bugs.debian.org (full text, mbox):

From: Stephen Smalley <sds@tycho.nsa.gov>
To: Michael Biebl <biebl@debian.org>
Cc: russell@coker.com.au, 543420@bugs.debian.org
Subject: Re: Bug#543420: upstart: SELinux support
Date: Fri, 18 Sep 2009 10:40:42 -0400
On Fri, 2009-09-11 at 18:04 +0200, Michael Biebl wrote:
> Russell Coker wrote:
> 
> > 
> > Philipp, thanks for your bug report.  I'm a bit short of time this week, I 
> > would appreciate if it you could do some tests with upstart compiled with 
> > this patch.  I will of course do all ongoing maintenance on this patch to 
> > keep it up to date.
> >
> 
> Regarding this patch: Is there a reason why init needs to be linked against
> libsepol? From what I can see in the diff, it only uses functions from libselinux.

I don't think that is needed anymore; it was a legacy of older
libselinux.  Modern libselinux will dlopen libsepol upon the call to
selinux_init_load_policy().

-- 
Stephen Smalley
National Security Agency





Information forwarded to debian-bugs-dist@lists.debian.org, Michael Biebl <biebl@debian.org>:
Bug#543420; Package upstart. (Fri, 09 Apr 2010 09:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jeroen Dekkers <jeroen@dekkers.ch>:
Extra info received and forwarded to list. Copy sent to Michael Biebl <biebl@debian.org>. (Fri, 09 Apr 2010 09:42:03 GMT) Full text and rfc822 format available.

Message #113 received at 543420@bugs.debian.org (full text, mbox):

From: Jeroen Dekkers <jeroen@dekkers.ch>
To: 543420@bugs.debian.org
Subject: Status of Bug#543420
Date: Fri, 09 Apr 2010 11:17:58 +0200
Hi,

There is no activity on this bug for over half a year, but it's not
marked wontfix either. Can anybody give a status update? It would be
nice if Squeeze ships with an upstart that can also be used when SE
Linux is enabled.

Kind regards, 

Jeroen Dekkers




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#543420; Package upstart. (Fri, 18 Jun 2010 04:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Biebl <biebl@debian.org>:
Extra info received and forwarded to list. (Fri, 18 Jun 2010 04:51:03 GMT) Full text and rfc822 format available.

Message #118 received at 543420@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@debian.org>
To: russell@coker.com.au, 543420@bugs.debian.org, Scott James Remnant <scott@ubuntu.com>
Cc: control@bugs.debian.org
Subject: Re: Bug#543420: Red Hat and Ubuntu got it wrong
Date: Fri, 18 Jun 2010 06:47:30 +0200
[Message part 1 (text/plain, inline)]
tags forwarded https://bugs.launchpad.net/upstart/+bug/595774
thanks

On 25.08.2009 01:20, Russell Coker wrote:
> http://etbe.coker.com.au/2008/07/24/se-linux-policy-loading/
> 
> I've described the issues related to init and SE Linux at the above URL.
> 
> I've attached a patch for upstart to make it load the policy, this patch was 
> written over a year ago, so some minor changes may be required.  But 
> basically the code is good.

Hi Russell,

I've reworked your patch a little, added a configure switch, reformatted it so
it fits the upstream coding style a bit better and makes it (hopefully) suitable
to be included upstream. The upstream bug report is [1], the patch is at [2].

I plan to upload a 0.6.6-1 package soonish with this patch included, if I don't
hear any complaints regarding this updated patch.

Cheers,
Michael


[1] https://bugs.launchpad.net/upstart/+bug/595774
[2] http://launchpadlibrarian.net/50522645/01-selinux.patch
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Set Bug forwarded-to-address to 'https://bugs.launchpad.net/upstart/+bug/595774'. Request was from Michael Biebl <biebl@debian.org> to control@bugs.debian.org. (Fri, 18 Jun 2010 07:24:05 GMT) Full text and rfc822 format available.

Reply sent to Michael Biebl <biebl@debian.org>:
You have taken responsibility. (Sat, 19 Jun 2010 19:36:12 GMT) Full text and rfc822 format available.

Notification sent to Philipp Kern <pkern@debian.org>:
Bug acknowledged by developer. (Sat, 19 Jun 2010 19:36:12 GMT) Full text and rfc822 format available.

Message #125 received at 543420-close@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@debian.org>
To: 543420-close@bugs.debian.org
Subject: Bug#543420: fixed in upstart 0.6.6-1
Date: Sat, 19 Jun 2010 19:34:09 +0000
Source: upstart
Source-Version: 0.6.6-1

We believe that the bug you reported is fixed in the latest version of
upstart, which is due to be installed in the Debian FTP archive:

upstart_0.6.6-1.debian.tar.gz
  to main/u/upstart/upstart_0.6.6-1.debian.tar.gz
upstart_0.6.6-1.dsc
  to main/u/upstart/upstart_0.6.6-1.dsc
upstart_0.6.6-1_i386.deb
  to main/u/upstart/upstart_0.6.6-1_i386.deb
upstart_0.6.6.orig.tar.gz
  to main/u/upstart/upstart_0.6.6.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 543420@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated upstart package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 19 Jun 2010 21:15:12 +0200
Source: upstart
Binary: upstart
Architecture: source i386
Version: 0.6.6-1
Distribution: unstable
Urgency: low
Maintainer: Michael Biebl <biebl@debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Description: 
 upstart    - event-based init daemon
Closes: 543420 577710
Changes: 
 upstart (0.6.6-1) unstable; urgency=low
 .
   * New upstream release.
     - Mount /proc and /sys on initialisation. Closes: #577710
     - Since version 0.6.5 upstart no longer includes a internal copy of libnih
       but instead depends on it being installed system wide.
     - Provide a separate function to reconnect to the D-Bus system bus which
       can be triggered by the SIGUSR1 signal as a config reload has the
       negative side effect of losing state.
   * debian/control
     - Add Build-Depends on libnih-dev (>= 1.0.2), libnih-dbus-dev (>= 1.0.2)
       and nih-dbus-tool.
     - Bump Standards-Version to 3.8.4. No further changes.
     - Add ${misc:Depends}.
   * debian/conf/dbus-reconnect.conf
     - Use SIGUSR1 to tell upstart to reconnect to the D-Bus system bus.
   * debian/upstart.docs
     - Remove ChangeLog.nih which is no longer included in the source.
   * debian/conf/tty*.conf
     - Run getty in 8-bit clean mode to better handle UTF-8 environments.
   * Switch to source format 3.0 (quilt).
     - Drop Build-Depends on quilt.
     - Remove quilt.make include and patch/unpatch targets from debian/rules.
     - Add debian/source/format.
   * Add SELinux support. Closes: #543420
     - Add debian/patches/01-selinux.patch to make upstart load the policy if
       SELinux is enabled. Patch by Russell Coker with some minor changes and
       build system integration.
     - Add debian/patches/99-autoreconf.patch.
     - Add Build-Depends on libselinux-dev.
Checksums-Sha1: 
 6634515459ae00280a65724c841cc50d18dd1e56 1390 upstart_0.6.6-1.dsc
 ef6e88934e93841adc7e7c183eda390fece1274b 991950 upstart_0.6.6.orig.tar.gz
 dc9d548d90e2620d1ec8f86ab618b23cc9fcfa35 14390 upstart_0.6.6-1.debian.tar.gz
 7a96bfa119a313ca967aa8f1767a08135b3daec5 262728 upstart_0.6.6-1_i386.deb
Checksums-Sha256: 
 121612e775e825b6f866fe6f00695e36adae80772e0d94f0cfbd8a551b0497fb 1390 upstart_0.6.6-1.dsc
 7ab4014a808751327f0a4f9687844c4022fc12d5d8b21755775d4a4aac30c9b3 991950 upstart_0.6.6.orig.tar.gz
 7d18680b6563fdb762bd83613cf7442ffb075b239819aeb4ff8ed3dc520d1fb3 14390 upstart_0.6.6-1.debian.tar.gz
 12c725e4b754dc81478effec9eaaafe79bfa33fa49ba21cf6ae5cb1bdd3aa87b 262728 upstart_0.6.6-1_i386.deb
Files: 
 f0d7ff0d0046887b0ea26d5f0ae60010 1390 admin extra upstart_0.6.6-1.dsc
 5a2e9962a4cea719fbe07c33e2591b06 991950 admin extra upstart_0.6.6.orig.tar.gz
 dfbcd0713fbba956ed2b2a58539d9af9 14390 admin extra upstart_0.6.6-1.debian.tar.gz
 7d493dacda810e7d0ee3f7302520306c 262728 admin extra upstart_0.6.6-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkwdF/AACgkQh7PER70FhVT7gQCglcF6r0JrmZKppVR8ntYEHuDR
XF8AoLa6fRHkVRXk9Md7lmsgHsnxwNVL
=JoyJ
-----END PGP SIGNATURE-----





Reply sent to Michael Biebl <biebl@debian.org>:
You have taken responsibility. (Sat, 19 Jun 2010 19:36:12 GMT) Full text and rfc822 format available.

Notification sent to Manoj Srivastava <srivasta@debian.org>:
Bug acknowledged by developer. (Sat, 19 Jun 2010 19:36:12 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 28 Jul 2010 07:33:33 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 11:19:43 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.