Bug 463117

Summary: RFE: Have SELinux use request_firmware for it's policy
Product: [Fedora] Fedora Reporter: Arjan van de Ven <arjan>
Component: kernelAssignee: Jack Rieden <jrieden>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: eparis, kmcmartin, poelstra, sdsmall
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-24 16:55:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Arjan van de Ven 2008-09-21 22:09:06 UTC 
Description of problem:

currently SELinux is requiring an initrd to load the initial policy. This is just about the last thing that makes systems need an initrd. initrd's add a significant amount of time to the boot process, so it's worth eliminating them for the common cases.

A good solution could be if SELinux would use request_firmware() to load the policy. (this can be done after mounting / etc)

A positive side effect of this is that SElinux then suddenly can benefit as well from all the improvements made in the recent past (and in the future) of the firmware loader (such as optionally building the policy into the kernel transparently etc etc)
Comment 1 John Poelstra 2008-09-22 15:42:00 UTC 
Not sure who this bug should be assigned to... kernel-maint or one of the SELinux developers?
Comment 2 James Morris 2009-04-13 23:47:21 UTC 
I thought this had been discussed at some point, but can't recall the outcome.
Comment 3 Stephen Smalley 2009-04-14 13:11:47 UTC 
Take it up on selinux list.
It would help if the proposal were a bit more concrete and/or someone were to actually prototype it and compare it against the current method.