search

SELinuxProject / refpolicy

SELinux Reference Policy v2
https://github.com/SELinuxProject/refpolicy/wiki
GNU General Public License v2.0
308 stars 138 forks source link

Support for dinit init system and service manager #811

Closed WavyEbuilder closed 1 month ago

WavyEbuilder commented 1 month ago

Hi!

I'm looking to add support for the dinit init system and service manager to the refpolicy. I had a few questions along the way, so I thought I would create an issue to track them here.

1) Would upstream be interested in this? 2) Regarding unit files, the current policy seems very much designed around the concept that only systemd has unit files, and all other init systems have init scripts. In the case of dinit this is wrong; dinit has unit files. For example, the init_unit_files interface has the following policy:

gen_require(`
  attribute systemdunit;
')
files_type($1)
typeattribute $1 systemdunit;

This quite clearly is designed around systemd here. A possible design idea I had for this was to make use of the already existing systemd build option, allowing for something like this:

interface(`init_unit_file',`
  ifdef(`init_systemd',`
    gen_require(`
      attribute systemdunit;
    ')
    files_type($1)
    typeattribute $1 systemdunit;
  ')
  ifdef(`init_dinit',`
    gen_require(`
      attribute dinitunit;
    ')
    files_type($1)
    typeattribute $1 dinitunit;
  ')
')

Would this be a desirable approach to upstream? My approach going into this is to ensure that no significant changes (ideally none) are needed outside of the base system init policy, keeping interface APIs the same.

3) Are there any caveats/stumble-blocks I should be careful with along the way that should be noted?

Thanks

pebenito commented 1 month ago
  1. This is the first time I've heard of dinit. Looking at the github info, it doesn't seem that any of refpolicy's distros support this. If that's the case, we wouldn't be interested in dinit support. However, that's not a final answer, as it also depends on the scope of changes needed to support dinit.
  2. Not knowing much of anything about dinit, I can't say for sure.
  3. Can't say for sure at this time.
WavyEbuilder commented 1 month ago

Thanks, I appreciate the quick response. As for it doesn't seem that any of refpolicy's distros support this, that seems to be correct from what I have seen, yes. I'll bear it doesn't seem that any of refpolicy's distros support this. in mind to try and minimize the changes outside of the base interfaces in the init policy module for example.

Thanks again