[systemd-devel] dracut: ordering of modules

Mimi Zohar zohar at linux.vnet.ibm.com
Sat Feb 11 16:17:25 PST 2012

On Fri, 2012-02-10 at 19:14 +0100, Lennart Poettering wrote:
> On Fri, 10.02.12 16:31, Roberto Sassu (roberto.sassu at polito.it) wrote:
> > 
> > Hi Mimi
> > 
> > i'm CCing the systemd and Fedora SELinux mailing lists.
> > 
> > Unfortunately, the SELinux policy initialization (at least
> > in Fedora 16) has been moved to systemd, so, now, loading an
> > IMA policy cannot be done in the initial ramdisk.
> > 
> > Further, the SELinux policy loading code is not in a unit file
> > but embedded in the main binary, which means that the new code for
> > loading IMA policies must be added just after that point.
> > 
> > I already wrote a patch for this. I need some time to test it
> > and will post in the systemd mailing list at the beginning of
> > the next week.

Thanks Roberto!
> Hmm, what is this about? You need a place to load additional security
> policies into the kernel at early boot? For SELinux that indeed takes
> place from within PID 1 now in systemd. I'd expect that other security
> technologies like AppArmor should work the same.

The IMA measurement/appraisal policy, which is described in
Documentation/ABI/testing/ima_policy, can be based on a number
of criteria.  One of these criteria are LSM subj/obj labels. The IMA
measurement/appraisal policy should be loaded as early as possible, but
only after the LSM policy has been loaded.


> If you want to hack on this basing your work on selinux-setup.c in the
> systemd tree should be fairly easy.
> Lennart

More information about the systemd-devel mailing list