From: Russell Coker <russell@coker.com.au>
To: Stephen Smalley <sds@epoch.ncsc.mil>,
Daniel J Walsh <dwalsh@redhat.com>,
James Morris <jmorris@redhat.com>
Cc: SE Linux <selinux@tycho.nsa.gov>
Subject: Re: init patch for loading policy
Date: Tue, 21 Oct 2003 23:56:32 +1000 [thread overview]
Message-ID: <200310212356.32110.russell@coker.com.au> (raw)
In-Reply-To: <1066739557.27065.43.camel@moss-spartans.epoch.ncsc.mil>
On Tue, 21 Oct 2003 22:32, Stephen Smalley wrote:
> On a related note, someone else pointed out via private email that
> initramfs could be used with 2.6 for the initial policy load, and this
> wouldn't require any bootloader support. That would avoid the legacy
> bootloader problems while still preserving the desirable aspects of an
> early policy load.
For the long term this is probably the best solution. It avoids all the
hackery we are going through now, and has no down-side.
I will clean up my initrd-policy for release then. For the policy needed to
get to the stage of running init and letting it load a proper policy to do
the rest I can probably get it to below 100K uncompressed (probably <20K
compressed).
My last experiments were at about 300K uncompressed, but that was for having
the real SE Linux policy loaded from a script under /etc/rc.d/rc5.d. So I
had to have policy for updfstab, fsck, and lots of other things. All that
policy raised the potential for changes and also made the policy big. Having
the bare minimum for init_t and initrc_t will make it much smaller and a good
candidate for linking in the kernel.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2003-10-21 13:56 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-10-19 15:48 init patch for loading policy Russell Coker
2003-10-20 8:21 ` Carsten Grohmann
2003-10-20 18:02 ` Stephen Smalley
2003-10-20 20:10 ` Daniel J Walsh
2003-10-20 20:46 ` Stephen Smalley
2003-10-20 20:56 ` Daniel J Walsh
2003-10-21 12:19 ` Stephen Smalley
2003-10-21 0:52 ` Russell Coker
2003-10-21 12:29 ` Stephen Smalley
2003-10-21 14:43 ` Russell Coker
2003-10-21 14:59 ` Stephen Smalley
2003-10-21 16:00 ` Russell Coker
2003-10-21 18:38 ` Daniel J Walsh
2003-10-21 20:14 ` Bastian Blank
2003-10-21 17:50 ` Daniel J Walsh
2003-10-22 22:31 ` Joubert Berger
2003-10-23 1:42 ` Russell Coker
2003-10-21 18:07 ` Daniel J Walsh
2003-10-21 18:54 ` Stephen Smalley
2003-10-21 19:56 ` Stephen Smalley
2003-10-21 12:32 ` Stephen Smalley
2003-10-21 13:56 ` Russell Coker [this message]
2003-10-20 20:47 ` Bastian Blank
2003-10-21 0:57 ` Russell Coker
2003-10-21 6:26 ` Bastian Blank
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200310212356.32110.russell@coker.com.au \
--to=russell@coker.com.au \
--cc=dwalsh@redhat.com \
--cc=jmorris@redhat.com \
--cc=sds@epoch.ncsc.mil \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.