Le Sat, 05 Jul 2014 11:46:08 +1000, Russell Coker <[email protected]> a écrit :
> > The current version of libselinux1.postint runs "telinit u" to tell > > init to re-exec itself. This was added so the system can shutdown > > cleanly when sysvinit is the active PID 1. > > AFAIK that was never the case. > > The reason for running "telinit u" when a shared object that init > uses is upgraded is so that init will start using the new version. > > I don't think we can unconditionally avoid such an operation. If at > some future time we find a security flaw in one of those libraries > that can affect the operation of process 1 there needs to be a way of > causing the buggy library to be removed from memory. If systemd is > unable to handle this correctly then that would be a bug in systemd. > > Also there is the possibility of an upgrade requiring a file format > change to something under /etc/selinux. Upgrades of SE Linux user > space between major versions of Debian without a reboot are > officially unsupported (I'll close any bug report of the form "I did > a dist-upgrade from wheezy to jessie without rebooting and things > didn't work correctly"), so this shouldn't be a problem. > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=753790 > > I don't think that systemd needs to get the new library instantly > (not even for a security issue). But it definitely needs to get it > before the next reboot (which may be a year later). So maybe we > could have a trigger or something and let systemd work it out. I > have filed bug report #753790 against systemd for this. > Quickly looking a the libsepol case, I'm not sure why we are re-executing init in this case at all. sysvinit doesn't seems to use any of its symbols and libselinux itself is statically linked against it. Or did I overlooked something? Cheers, Laurent Bigonville _______________________________________________ SELinux-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
