Ubuntu
upstart package

selinux should be enabled and activate policy in the initramfs

Bug #124865 reported by Rui Bernardo
10
Affects Status Importance Assigned to Milestone
selinux-basics (Ubuntu)
Won't Fix
Undecided
Unassigned
upstart (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

Binary package hint: upstart

When trying to install SElinux in Ubuntu 7.04 Feisty, I noticed that upstart doesn't work with SElinux.

To reproduce this you must do the following:

- Activate selinux in kernel boot options in GRUB:
      edit the file /boot/grub/menu.lst, and add "selinux=1" in the "# kopt=" line. Run "sudo update-grub" and reboot.

- Install the SElinux packages:
      sudo apt-get install selinux-basics selinux-utils checkpolicy policycoreutils selinux-policy-refpolicy-targeted

- Reboot to activate SElinux. After rebooting Ubuntu with upstart, when you execute the command "sestatus" the output is:

SELinux status: disabled

If you install the package "sysvinit", the shutdown is not performed. It ends with:

init: timeout opening/writing control channel /dev/initctl

I think thats another bug. It only happens the first time, just after installing the "sysvinit" package. To conclude the reboot, you have to either use Linux Magic Keys (Alt+SysRq) or press the reset button on the computer box.

After rebooting with the package "sysvinit" installed, if you execute the "sestatus" command with the package "sysvinit" installed, the output is:

SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 21
Policy from config file: refpolicy-targeted

I have tried many many times, but apparently SElinux doesn't work without the sysvinit package installed.

Revision history for this message
chantra (chantra) wrote :

I can confirm that even I have selinux=1 enforcing=1 in grub, selinux is disabled.

Steven (stebalien)
Changed in upstart:
status: New → Confirmed
Revision history for this message
Hadmut Danisch (hadmut) wrote :

Hi,

I just upgraded to the pre-release version of gutsy.

Selinux still does not work with upstart.

Reason:

Usually it is init's task to initialize selinux. Therefore (e.g. in debian) ldd /sbin/init shows that it is linked against /lib/libselinux.so.1

Ubuntu's upstart uses an init daemon, that is not linked against selinux and thus cannot start selinux.

regards
Hadmut

Revision history for this message
Scott James Remnant (Canonical) (canonical-scott) wrote :

With upstart, selinux should ship something that enables the policy within the initramfs

Revision history for this message
Christer Edwards (christer.edwards) wrote :

I am running gutsy tribe 5 (sept 19, 2007 current) and trying to deploy SELinux. Are there any known workarounds to the above bugs? While I'd like to have this bug fixed more immediately I'd like to be able to deploy SELinux if anyone has any suggestions.

Scott James Remnant (Canonical) (canonical-scott)
Changed in upstart:
status: Confirmed → Won't Fix
Revision history for this message
Rui Bernardo (epimeteo) wrote :

From my testing in Feisty (look at my first post), it worked if the the package "sysvinit" is installed. It will remove upstart. I didn't tested it in Gutsy, though.

Revision history for this message
Marques Johansson (marques) wrote : Re: [Bug 124865] Re: selinux is not enabled with upstart

In gutsy atleast, it should be noted that apparmor is available
(defaultly installed?) and facilitates the same function as selinux
with marginal differences.

On 10/10/07, Rui Bernardo <email address hidden> wrote:
> >From my testing in Feisty (look at my first post), it worked if the the
> package "sysvinit" is installed. It will remove upstart. I didn't tested
> it in Gutsy, though.
>
> --
> selinux is not enabled with upstart
> https://bugs.launchpad.net/bugs/124865
> You received this bug notification because you are a direct subscriber
> of the bug.
>

--
Marques Johansson
<email address hidden>

Revision history for this message
Christer Edwards (christer.edwards) wrote : Re: selinux is not enabled with upstart

@Marques - Some of us would prefer to use SELinux over AppArmor though is the problem.

Revision history for this message
Caleb Case (calebcase) wrote :

The new 'selinux' package (which replaces 'selinux-basics') provides the proper support for using SELinux with Upstart. The selinux package is available in Hardy. Please see the HardySELinux page for more information: https://wiki.ubuntu.com/HardySELinux

Kees Cook (kees)
Changed in selinux-basics:
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.