init: optionally load the system SELinux policy

[WavyEbuilder]

Implements #399 . Currently a draft PR for some of the reasons noted in that issue. Another thing to add:

• I saw mentioned here, https://github.com/davmac314/dinit/issues/240#issuecomment-1963096377, that you don't want to be falling back to C interfaces. For now, I'm just calling fprintf if the SELinux policy fails to load (as /dev/console is likely unable to be accessed at that point). Would you prefer std::cout to be used for now in this case?

[WavyEbuilder]

Current TODO (just to note I am aware of it) is to link against libselinux in the Makefile.

[WavyEbuilder]

I've added an --enable--selinux option to the configure script, however I am not really sure how best to go about linking against libselinux as it is an optional dependency. Any advice in this regard?

[WavyEbuilder]

Think I've got that sorted by passing a linker flag.

[davmac314]

I will review properly when I get a chance. I don't know a heap about SELinux so bare with me. A couple of things I will point out now though:

• Definitely avoid using fprintf, it's best if you can keep to the conventions already used throughout. cerr would normally be the right option for a definite error message, however, output should generally go via the log interface instead of directly via cout/cerr. Eg log(loglevel_t::ERROR, "(error message here)") possibly followed by flush_log() if this is before a call to exit().
• I'm not a fan of the re-exec approach either. If the correct label can be assigned to the already-running executable (i.e. what systemd apparently does), it seems like we should just do that.
• I'm inclined to think that there should either be a command-line option to disable loading the policy, or that should be the default and there should a command-line option to enable it.
• Probably the whole setup should be moved to its own separate function

[WavyEbuilder]

Hey! Appreciate the fast response.

Definitely avoid using fprintf, it's best if you can keep to the conventions already used throughout. cerr would normally be the right option for a definite error message, however, output should generally go via the log interface instead of directly via cout/cerr. Eg log(loglevel_t::ERROR, "(error message here)") possibly followed by flush_log() if this is before a call to exit().

A lot of the other init systems mentioned /dev/console not being available at that point in time (which is a reasonable assumption as if the policy fails to load there is a good chance SELinux would block access to /dev/console). I had a quite glance through dinit-log.cc and it appears like it just uses stdout - would this be correct?

I'm not a fan of the re-exec approach either. If the correct label can be assigned to the already-running executable (i.e. what systemd apparently does), it seems like we should just do that.

I'll make sure to change that to use setcon_raw(3)

I'm inclined to think that there should either be a command-line option to disable loading the policy, or that should be the default and there should a command-line option to enable it.

Generally the command-line option is provided to the kernel cmdline (which the selinux_init_load_policy parses and handles for us). The main options are enforcing=0 (force SELinux to boot in enforcing mode regardless of /etc/selinux/config) and selinux=0 (disable selinux alltogether). So as far as I can tell, all of that should be handled for us

Probably the whole setup should be moved to its own separate function

I'll make sure to do that

[WavyEbuilder]

Also, would you like me to commit any changes as separate commits until you are happy with it so you can see the diffs between changes a bit easier, or would rebasing be preferred?

[WavyEbuilder]

Alright took a look at this a bit more thoroughly and I have a few design questions to raise quickly, notably regarding Probably the whole setup should be moved to its own separate function:

1. Shall we plan ahead now for other security frameworks? I'm only really an SELinux guy as I mentioned in #399 , but it might be worth doing similar to systemd, i.e.:

   static int initialize_security(
               bool *loaded_policy,
               dual_timestamp *security_start_timestamp,
               dual_timestamp *security_finish_timestamp,
               const char **ret_error_message);

   Then we could just call our implementation of a similar function once in dinit_main (ideally as early as possible, being security frameworks it makes sense to attempt to load them as early as possible). Now given that we have C++ to hand here, I was wondering how to go about propagating errors back. Being C++11, we don't have anything like std::optional, but taking a look at some functions that can return failure in dinit's source, they appear to return a bool. My original idea was something like std::optional<std::string> (and returning an error message on failure, otherwise std::nullopt), but of course that is only available in C++17. Would something like char * work here instead then maybe (returning nullptr on success... though that's a bit strange granted)? Or is the specific failure message relevant at all here and should we just return a bool to indicate success status?

2. Regarding headers for this, I was thinking maybe something along the lines of: src/includes/mac-util.h // contains initialize_security, might be worth just putting it in dinit-util.h? src/includes/dinit-mac/selinux.h // SELinux helper functions so we could (like systemd again) just quickly call a generic setup function for each MAC framework.

I think that'd be a reasonable way of structuring things, but being my first PR to dinit and my first real work on a C++ project below 14, your input would be greatly appreciated.

Thanks!

[davmac314]

taking a look at some functions that can return failure in dinit's source, they appear to return a bool ... Would something like char * work here instead then maybe (returning nullptr on success... though that's a bit strange granted)? Or is the specific failure message relevant at all here and should we just return a bool to indicate success status?

Log any relevant message (via log(...) functions), then return a bool (usually false for failure).

Shall we plan ahead now for other security frameworks?

If we're just talking about adding a single method, I don't see any advantage in doing that now, as it can easily be done if and when support for other security frameworks are added. Let's just keep it simple.

Generally the command-line option is provided to the kernel cmdline (which the selinux_init_load_policy parses and handles for us). The main options are enforcing=0 (force SELinux to boot in enforcing mode regardless of /etc/selinux/config) and selinux=0 (disable selinux alltogether). So as far as I can tell, all of that should be handled for us

Ok, that sounds fine.

[davmac314]

Generally the command-line option is provided to the kernel cmdline (which the selinux_init_load_policy parses and handles for us). The main options are

Actually, thinking about this more, there may still be cases where SELinux is enabled but the loading of the policy should not be performed. One example is given by the Systemd code here.

Also, can you clarify what this might mean? I want to know what file descriptors SELinux would keep open and in what circumstances.

Are you doing this work for a distribution or is it a more personal endeavour?

[davmac314]

(Finally: make sure you have read CONTRIBUTING and CODE-STYLE documents, if you haven't already. Thanks!).

[WavyEbuilder]

Log any relevant message (via log(...) functions), then return a bool (usually false for failure).

Got it, thanks :)

If we're just talking about adding a single method, I don't see any advantage in doing that now, as it can easily be done if and when support for other security frameworks are added. Let's just keep it simple.

Yup, makes sense, should be fairly easy with to deal in the future. Will do!

Actually, thinking about this more, there may still be cases where SELinux is enabled but the loading of the policy should not be performed. One example is given by the Systemd code here.

That's a good example. For that specific initrd case, I had a look at systemd's in_initrd(void) function and found this comment:

/* If /etc/initrd-release exists, we're in an initrd.
 * This can be overridden by setting SYSTEMD_IN_INITRD=0|1.
 */ 

Would you like to do the same with an override here? (maybe something more like DINIT_IN_INITRD)

If you'd still like to add a flag override of some sorts to tell dinit to not load the selinux policy, I feel like that should be an opt in sort of thing, because while not loading the selinux policy won't load any of the user's policy, it doesn't mean selinux won't be loaded. In that case, everything runs in the kernel context, and taking my distro (Gentoo) as an example, Portage fails to operate if I just run with the system booted in the kernel context, so that is very much an edge case and almost never intended to be a reality. But the initrd case makes sense.

Also, can you clarify what this might mean? I want to know what file descriptors SELinux would keep open and in what circumstances.

Afaik this is generally in the case of when it needs to audit something related to that fd so it keeps it open for a bit? I remember seeing something similar in the past, but I'm not exactly too happy with that answer as I can't answer it with 100% confidence, so if that's okay I'll do a bit of digging in the libselinux docs and get back to you on that.

Are you doing this work for a distribution or is it a more personal endeavour?

I'm currently using Gentoo and dinit on basically all of my systems (which doesn't have upstream Gentoo support currently), however I am hoping to try improving the support (and maybe possibly getting official support) for dinit for both Adelie and Gentoo (nothing offical, just me on my own there, though I have spoken to some developers of the respective distros about that, but absoloutly nothing really offical yet). This specific piece of work was started when I hit a few weird bugs with my SELinux policy while dealing with a few ebuilds for dinit related to SELinux (policy for it), so in the future as Gentoo has offical SELinux support it might be useful, but for now really just take it as a personal endeavour, I'm not affiliated with any distro officially :)

(Finally: make sure you have read CONTRIBUTING and CODE-STYLE documents, if you haven't already. Thanks!).

Had a read over them already, but I'll make sure to reread CODE-STYLE

[WavyEbuilder]

Did a bit of digging and found this commit https://github.com/systemd/systemd/commit/a3dff21ae882adadd946c51284bac9b14568f598 which seems to explain it quite nicely.

[WavyEbuilder]

Hmm reading the setcon(3) man page:

sets  the  current  security context of the process to a new value.  Note that use of this function requires that the entire application be trusted to maintain any desired separation between the old and new security contexts, unlike exec-based transitions performed via setexeccon(3).  When possible, decompose your application and use setexeccon(3) and execve(3) instead.

Still seems fine to transition with setcon_raw(3), but it probably makes sense to make sure to do it as early as possible, before we open any other file descriptors. I'll push a new commit using setcon_raw(3) shortly.

[WavyEbuilder]

I think it'll be best to consider how SELinux aware we want dinit to be at this stage. After reading some more man pages and systemd code, it seems like systemd transitioning itself to the new context is an okay option as they already make heavy use of selinux throughout (i.e. in transient units which have an SELinuxContext= option). However, if our only goal (at least in the short-term) is to load the policy, then I think it makes sense to stick with the execve(3) solution.

If we want to be a little bit more SELinux aware, (i.e. if it is not unforeseeable to make use of libselinux more throughout dinit), then I would probably start off by creating an selinux utils header of some point as there is quite a bit of setup, etc that'll need to be done.

My personal opinion would be (for the sake of simplicity) to stick with the execve(3) solution as it'd be a fair amount simpler for now. In the future, if something like the dinit-run and transient units mentioned in https://github.com/davmac314/dinit/issues/253#issuecomment-1789942637 gets implemented, we could add support for launching said units with a specific selinux context (I'd be happy to work on something like that), and at that point as that'd require a decent amount of setup anyway, it'd make sense to just use setcon_raw(3) at that point. I'm guessing the (relatively) unneeded complexity of correctly transitioning ourself to the right domain after loading the policy is why the other simpler init systems (openrc, sysvinit, etc) that don't really make use of a lot of SELinux's features just load the policy and relaunch themselves.

However, if you'd still like to continue with setting our own context, I can go down that route. It'd require a bit more design though, so it might be worth working on getting some helper functions stubbed out firstly.

[davmac314]

for now really just take it as a personal endeavour, I'm not affiliated with any distro officially :)

That's fine but it will need a commitment from you that you will support it going forward, or otherwise make it clear that it's experimental/unsupported in relevant documentation. (Incidentally I think you missed updating the build instructions - that's something that would need to be added).

To be honest I'm not sure I'm following your reasoning in a few ways:

it seems like systemd transitioning itself to the new context is an okay option as they already make heavy use of selinux throughout (i.e. in transient units which have an SELinuxContext= option)

I don't really understand why that makes a difference. What is the reason why this would not be a good option for dinit as well? (I get that Dinit doesn't provide specific support for SELinux features when executing service processes, but why does that make a difference as to the mechanics of how the policy is loaded?)

I'm fine with the policy loading happening very early in dinit's execution. But:

My personal opinion would be (for the sake of simplicity) to stick with the execve(3) solution

If we are going to call execve anyway, I'm not sure I see any point having the functionality in dinit itself. It could just as well be a wrapper (called init) that loads the policy and then execves dinit. Or am I missing something? Having dinit re-exec itself on each boot doesn't seem right to me at all.

I know you had a few other questions for me and I can go back to those, but I really need some clarification on these points. I don't want to be discouraging but it seems like there are a few details you're not really sure of yourself, and that gives me some pause. I'm hesitant to incorporate something where I really don't understand why things have been done the way they have. If there's open questions that you need to sort out, please feel free to take whatever time you need to do that, but let's get them sorted first and talk details of the code then.

[WavyEbuilder]

Hey,

That's fine but it will need a commitment from you that you will support it going forward, or otherwise make it clear that it's experimental/unsupported in relevant documentation. (Incidentally I think you missed updating the build instructions - that's something that would need to be added).

I can commit to that, but would also be happy mentioning it is experimental.

I don't really understand why that makes a difference. What is the reason why this would not be a good option for dinit as well? (I get that Dinit doesn't provide specific support for SELinux features when executing service processes, but why does that make a difference as to the mechanics of how the policy is loaded?)

I think I phrased that badly earlier, I'll rephrase it a little here now. Systemd makes use of SELinux a lot inside it being quite SELinux aware so it already has a lot of boilerplate that will be used elsewhere. The reason why transitioning to the new context is a little more complex is because it requires a bit more setup, we are in a privileged domain at that point and we are sort of entrusting ourselves to do it right, so it'd require a fair amount more code I would think.

If we are going to call execve anyway, I'm not sure I see any point having the functionality in dinit itself. It could just as well be a wrapper (called init) that loads the policy and then execves dinit. Or am I missing something? Having dinit re-exec itself on each boot doesn't seem right to me at all.

An initramfs can work fine for this (and often is!) or some simpler pid 1 that's only job is to launch dinit properly with the right context, but (at least to me) that feels a little unnecessary.

I know you had a few other questions for me and I can go back to those, but I really need some clarification on these points. I don't want to be discouraging but it seems like there are a few details you're not really sure of yourself, and that gives me some pause.

That's fair, I did phrase it quite badly above. My main reasoning was based off the Let's just keep it simple. comment, so basically the only "problem" is that it's just a bit more work that we need to get right for (at least in my opinion) minimal gain. However there's nothing preventing us from doing that if you wish :) It's just a bit more code, so I thought I'd mention that.

I'm hesitant to incorporate something where I really don't understand why things have been done the way they have. If there's open questions that you need to sort out, please feel free to take whatever time you need to do that, but let's get them sorted first and talk details of the code then.

That makes sense. For now I'll just presume we're going down the route of transitioning ourselves to a new context and I'll push in a bit with an example of that and let you compare.

Incidentally I think you missed updating the build instructions - that's something that would need to be added). I did miss that, my bad, I'll make sure to update that as well.

[davmac314]

I think I phrased that badly earlier, I'll rephrase it a little here now. Systemd makes use of SELinux a lot inside it being quite SELinux aware so it already has a lot of boilerplate that will be used elsewhere. The reason why transitioning to the new context is a little more complex is because it requires a bit more setup, we are in a privileged domain at that point and we are sort of entrusting ourselves to do it right, so it'd require a fair amount more code I would think.

This, I guess, is what I don't understand. I can see that opening file descriptors before loading the policy might give access to things that the policy will then disallow but, if we are loading the policy quite early and we have opened file descriptors then in fact we do need those file descriptors. If the policy disallowed that access then that would be a broken policy anyway. Dinit doesn't go around just casually opening files. Likewise any other resource it has accessed, it probably needs. And anyway, as far as I can tell, applying the security label will enforce access against file descriptors that were opened previously anyway.

Eg from https://www.systutorials.com/docs/linux/man/3-setcon_raw/ -

Since access to file descriptors is revalidated upon use by SELinux, the new context must be explicitly authorized in the policy to use the descriptors opened by the old context if that is desired.

If the process was being ptraced at the time of the setcon() operation, ptrace permission will be revalidated against the new context and the setcon() will fail if it is not allowed by policy.

Given those are taken care of (and ptrace shouldn't be an issue anyway), and given that we'd be loading the policy early (before doing just about anything anyway), what would be the concerns in regards to "entrusting ourselves to do it right?" I'm after concrete examples.

An initramfs can work fine for this (and often is!) or some simpler pid 1 that's only job is to launch dinit properly with the right context, but (at least to me) that feels a little unnecessary.

To me it feels unnecessary to me add specific support (including a library dependency) for something in Dinit which can be handled just as well from outside, and re-executing our own process right after we start honestly just feels like a hack. At the moment my position on that is a "no", I would need to be given a good, concrete reason for why that should change.

Applying the security context within the already-running process without re-execing would be acceptable, though.

My main reasoning was based off the Let's just keep it simple. comment, so basically [...] It's just a bit more code, so I thought I'd mention that.

A little bit more code isn't an issue, if we have already gone as far as adding a dependency and providing support for SELinux then we may as well do it properly. My bad for the "keep it simple" comment which caused confusion - I meant, keep it restricted to the specific functionality that you are wanting to implement; we don't need abstraction layers for handling other security frameworks, etc.

But before you said:

so it'd require a fair amount more code I would think.

Is it a bit, or is it a fair amount? (or am I conflating two different things?) (Edit: what I'm really asking is: is it a matter of say 3-4x the amount of code currently in the PR, all confined to a single function? Or are we talking sweeping changes throughout the codebase? If it's the former, that's totally fine).

[WavyEbuilder]

As for entrusting ourselves to do it right, the main concern surrounds file descriptors. That is why I'm a little worried about the log interface. We don't want to leave any of our file descriptors open when we transition. Then in effect we would have a "context mismatch" otherwise, as the file descriptor inherits the context of the process it was opened by. So we would have issues regarding access control to existing contexts at that point . That's ideally why I'm thinking we load ourselves as early as possible. If we do that, we should be fine.

A good example is this. Imagine we start out with kernel context (what dinit starts out with on my system before the policy is loaded). We have some fd's opened, and the kernel context has permission to use them. Now we load the policy, transition ourselves, and the loaded policy executes us as init_t. In the Gentoo refpolicy, then that kernel context becomes kernel_t. Now SELinux will prevent us from using those open file descriptors.

(Edit: what I'm really asking is: is it a matter of say 3-4x the amount of code currently in the PR, all confined to a single function? Or are we talking sweeping changes throughout the codebase? If it's the former, that's totally fine).

Oh I see what you meant by keeping it simple now :) I was a bit confused with what you were after, but it shouldn't really require any sweeping changes for the codebase, it should all be confined to that function we'll make to load the policy, which will be the thing that's a bit longer. That's all good then, I can make the transition work.

I'll get to work on that, and if there are any concerns please let me know. Thanks for all the time you've given this so far, appreciated a lot.

[WavyEbuilder]

Alright I think I've got this working as desired now. I've just made a function selinux_transition that is above dinit_main for now so you can take a look, if you'd like me to move it let me know.

If anything is unclear/you feel any comments are needed, please let me know, and I'll make sure to add them.

[WavyEbuilder]

(just updated an error message as i'm not longer using setexeccon_raw(3) and removed a close as i am no longer opening something else). Should be ready for review now

[WavyEbuilder]

Just fixed another silly mistake, forgot to chance 0 and 1 to true and false as I changed the return type to a bool as you suggested. My apologies, actually ready for review now.

[davmac314]

Could you remove the "Draft:" status if it's ready? I'll get to it when I can.

A couple of things I noticed when looking quickly now:

• could you add a command-line option to inhibit loading the security policy?
• there is still no build documentation
• "I can commit to that, but would also be happy mentioning it is experimental." - I don't see any mention, did you change your mind about that? Like I said, it's fine if you can commit to supporting this going forward, but otherwise it should be clearly tagged as experimental and unsupported.

Can I ask you to please go through our discussion and double-check you've addressed the things we did discuss.

One other thing I noticed now:

• selinux_transition function should be static

Answers to some of your earlier questions:

Also, would you like me to commit any changes as separate commits until you are happy with it so you can see the diffs between changes a bit easier, or would rebasing be preferred?

You can squash commits but don't rebase onto any changes in master (if there are any), thanks.

I had a look at systemd's in_initrd(void) function and found this comment: [...] Would you like to do the same with an override here?

No, just a command line option.

[WavyEbuilder]

Could you remove the "Draft:" status if it's ready? I'll get to it when I can.

Will do

I can commit to that, but would also be happy mentioning it is experimental." - I don't see any mention, did you change your mind about that? Like I said, it's fine if you can commit to supporting this going forward, but otherwise it should be clearly tagged as experimental and unsupported.

I'm 100% happy to commit to it. I'll keep an eye on the repo, and please feel free to ping me in any issues or pull requests, etc that show up regarding this.

Can I ask you to please go through our discussion and double-check you've addressed the things we did discuss.

Ah yea, just wanted to show the other the transition. Now we're at this stage I'll make sure to do all of that now :)

You can squash commits but don't rebase onto any changes in master (if there are any), thanks.

I'll make sure to, thank you.

No, just a command line option.

Got it. I'll do that now as well.

Thanks once again

[WavyEbuilder]

Done. Just need to also document the --disable-selinux flag in the man pages, doing that now

[WavyEbuilder]

All ready for review

[WavyEbuilder]

Appear to have some build system errors with the Makefile, taking a look.

[WavyEbuilder]

Sorry about that, the build worked after running the configure script and with meson so I didn't notice it. Should be working now

[WavyEbuilder]

Ready for review again

[WavyEbuilder]

Will push with these changes soon

[WavyEbuilder]

Hi Davin,

Sorry for the delay, was a bit busy the last couple of days. Ready for review again.

[WavyEbuilder]

Just noticed a small thing in the printVersion output that the other optional features print, I've replicated that with SELinux. Happy to revert if desired.

[davmac314]

@mobin-2008 can I ask you to review the meson build changes in this PR?

[WavyEbuilder]

Thanks Davin, I'll make sure to get that sorted now

[WavyEbuilder]

Done, should be ready for review again.

[WavyEbuilder]

should be sorted now @mobin-2008

[WavyEbuilder]

Nevermind, it fails to build on boxes without libselinux. I'll resolve this now.

[WavyEbuilder]

All sorted, ready for review

[mobin-2008]

Looks good unless, the libselinux.found() is the correct check for this. Remove the if and use set10() instead as before.

Also for more consistency with https://github.com/davmac314/dinit/pull/404, Could you change the libselinux to libselinux_dep?

[WavyEbuilder]

Will do this now

[WavyEbuilder]

Hmm as for the libselinux.found() being the correct check, what would your thoughts be here Davin? A system with libselinux is basically guaranteed to support selinux in my book, but they might not want the policy loaded at build time still (I am ignoring some of the other selinux awareness I plan to do for now as you mentioned in the BUILD documentations, I can also adjust this later).

[mobin-2008]

Hmm as for the libselinux.found() being the correct check, what would your thoughts be here Davin? A system with libselinux is basically guaranteed to support selinux in my book, but they might not want the policy loaded at build time still (I am ignoring some of the other selinux awareness I plan to do for now as you mentioned in the BUILD documentations, I can also adjust this later).

The meson is smart enough to set SUPPORT_SELINUX 0 when the -Dsupport-selinux=disabled is used. I tested it.

[mobin@[Redacted] dinit-selinux]$ meson setup dirbuild -Dsupport-selinux=disabled
The Meson build system
Version: 1.6.0
Source dir: /home/mobin/dinit-selinux
Build dir: /home/mobin/dinit-selinux/dirbuild
Build type: native build
Project name: dinit
Project version: 0.19.0
C++ compiler for the host machine: c++ (gcc 14.1.1 "c++ (GCC) 14.1.1 20240720")
C++ linker for the host machine: c++ ld.bfd 2.42.0
Host machine cpu family: x86_64
Host machine cpu: x86_64
Dependency libselinux skipped: feature support-selinux disabled
Header "utmpx.h" has symbol "_PATH_UTMPX" : YES 
Header "utmpx.h" has symbol "_PATH_WTMPX" : YES 
Configuring mconfig.h using configuration
Build targets in project: 11

dinit 0.19.0

  User defined options
    support-selinux: disabled

Found ninja-1.12.1 at /usr/sbin/ninja
[mobin@[Redacted] dinit-selinux]$ cat dirbuild/mconfig.h 
// This file (is or will be) auto-generated by meson.

#ifndef DINIT_MCONFIG_H
#define DINIT_MCONFIG_H 1

// Defines

#define USE_UTMPX 1
#define USE_INITGROUPS 1
#define SUPPORT_CGROUPS 1
#define SUPPORT_SELINUX 0
#define DEFAULT_AUTO_RESTART ALWAYS
#define DEFAULT_START_TIMEOUT 60
#define DEFAULT_STOP_TIMEOUT 10

// Constants

constexpr static char DINIT_VERSION[] = "0.19.0";
constexpr static char SYSCONTROLSOCKET[] = "/run/dinitctl";
constexpr static char SBINDIR[] = "/sbin";
constexpr static char SHUTDOWN_PREFIX[] = "";

#endif // DINIT_MCONFIG_H
[mobin@[Redacted] dinit-selinux]$ git diff -P 
diff --git a/meson.build b/meson.build
index 7a35b8d..3155316 100644
--- a/meson.build
+++ b/meson.build
@@ -69,6 +69,7 @@ mconfig_data.set('DEFAULT_AUTO_RESTART', default_auto_restart)
 mconfig_data.set('DEFAULT_START_TIMEOUT', default_start_timeout)
 mconfig_data.set('DEFAULT_STOP_TIMEOUT', default_stop_timeout)
 mconfig_data.set10('USE_INITGROUPS', use_initgroups)
+mconfig_data.set10('SUPPORT_SELINUX', libselinux.found())
 if support_cgroups.auto() and platform == 'linux' or support_cgroups.enabled()
     mconfig_data.set('SUPPORT_CGROUPS', '1') 
 endif
@@ -78,9 +79,9 @@ if use_utmpx.enabled() or (use_utmpx.auto() and compiler.has_header_symbol('utmp
 else
     mconfig_data.set('USE_UTMPX', '0')
 endif
-if support_selinux.auto() and libselinux.found() and platform == 'linux' or support_selinux.enabled()
-    mconfig_data.set('SUPPORT_SELINUX', '1')
-endif
+#if support_selinux.auto() and libselinux.found() and platform == 'linux' or support_selinux.enabled()
+#    mconfig_data.set('SUPPORT_SELINUX', '1')
+#endif
 configure_file(

[WavyEbuilder]

Ah I see what you mean, my apologies, I misunderstood you. Will fix now.

[WavyEbuilder]

All ready for review

[davmac314]

See note above regarding dependencies in meson.build, sorry about that but I think it was right first time and should be changed back to how you had it originally.

I'll review the rest again as soon as I can, with any luck it will be a simple review :)

[WavyEbuilder]

Thanks!

About the meson.build then, as I switched back to:

mconfig_data.set10('SUPPORT_SELINUX', libselinux_dep.found())

are we good to go now for that or are there any other changes needed? I think I fixed everything in the note above :)

[davmac314]

About the meson.build then, as I switched back to: [...] are we good to go now for that

Please see the comment that I referred to: https://github.com/davmac314/dinit/pull/400#discussion_r1818201369 It's about a different change.

[WavyEbuilder]

Ah I see, I'll look into that now.

[WavyEbuilder]

As Eli mentioned here, https://github.com/davmac314/dinit/pull/400#discussion_r1818239780, I think that should be okay? Let me know your thoughts :)

[davmac314]

As Eli mentioned here, #400 (comment), I think that should be okay? Let me know your thoughts :)

I guess it is ok after all. :) I still need to re-review.

[davmac314]

Also, I don't think you answered this:

The documentation is in general pretty light. Is there anything more we need to say about SELinux either in the dinit man page or in a separate readme file? Eg: does the SELinux support require anything - does it need special filesystems (/proc and/or /sys) to be mounted before dinit starts, for example?