Red Hat Bugzilla – Bug 463117
RFE: Have SELinux use request_firmware for it's policy
Last modified: 2012-05-24 12:55:00 EDT
Description of problem:
currently SELinux is requiring an initrd to load the initial policy. This is just about the last thing that makes systems need an initrd. initrd's add a significant amount of time to the boot process, so it's worth eliminating them for the common cases.
A good solution could be if SELinux would use request_firmware() to load the policy. (this can be done after mounting / etc)
A positive side effect of this is that SElinux then suddenly can benefit as well from all the improvements made in the recent past (and in the future) of the firmware loader (such as optionally building the policy into the kernel transparently etc etc)
Not sure who this bug should be assigned to... kernel-maint or one of the SELinux developers?
I thought this had been discussed at some point, but can't recall the outcome.
Take it up on selinux list.
It would help if the proposal were a bit more concrete and/or someone were to actually prototype it and compare it against the current method.