InitWare, a portable systemd fork running on BSDs and Linux

Posted by sunshine-o 4/3/2025

InitWare, a portable systemd fork running on BSDs and Linux(github.com)

167 points | 117 commentspage 2

egberts1 4/3/2025|

Shoot. Almost there, at least for us cybersecurity-minded folks.

A need for a default-deny-all and then select what a process needs is the better security granularity.

This default-ALLOW-all is too problematic for today's (and future) security needs.

Cuts down on the compliance paperworks too.

westurner 4/3/2025|

DAC: Discretionary Access Control: https://en.wikipedia.org/wiki/Discretionary_access_control :

> The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control).

Which permissions and authorizations can be delegated?

DAC is the out of the box SELinux configuration for most Linux distros; some processes are confined, but if the process executable does not have the necessary extended filesystem attribute labels the process runs unconfined; default allow all.

You can see which processes are confined with SELinux contexts with `ps -Z`.

MAC is default deny all;

MAC: Mandatory Access Control: https://en.wikipedia.org/wiki/Mandatory_access_control

egberts1 4/6/2025||

Biggest problem is the use of a SELinux compiler into components understood only by SELinux engine.

Does not help when the SELinux source text file is not buildable by function/procedure axiom: it is at its grittiest granularity, which ironically is the best kind of security, but only if composed by the most savviest SELinux system admins.

Often requires full knowledge of any static/dynamic libraries and any additional dynamic libraries it calls and its resource usages.

Additional frontend UI will be required to proactively determine suitability with those dynamic libraries before any ease of SELinux deployment.

For now, it is a trial and error in part on those intermediate system admins or younger.

westurner 4/6/2025||

From https://news.ycombinator.com/item?id=30025477 :

> [ audit2allow, https://stopdisablingselinux.com/ ]

Applications don't need to be compiled with selinux libraries unless they want to bypass CLI tools like chcon and restorecon (which set extended filesystem attributes according to the system policy; typically at package install time if the package provenance is sufficient) by linking with libselinux.

pkkm 4/4/2025||

Could someone who's more familiar with this project explain the advantages? To me, the main advantages of systemd are

1) It enables better separation of concerns, Twelve-Factor App style. For example, user-installed programs no longer need to connect to a logging daemon or execute a complex daemonization dance [1]. They can just run like a normal command-line program and dump logs to stderr.

2) It cuts down on integration problems, shell script glue, and the amount of different config syntaxes you have to know. Its architecture is modular with over 100 different binaries, so you can still pick-and-choose components and do privilege separation, but because these components are all coming from the same vendor, you know they're going to work well together.

3) It can do certain things far more reliably because it's willing to use Linux-specific APIs. For example, thanks to cgroups v2, it can supervise a process correctly no matter what kind of weird forking strategy the process is using.

Since this project is intended to be compatible across Unix-like systems, it won't be able to use Linux-specific APIs, so advantage 3 is gone. It looks like it dropped many components of systemd, so advantage 2 is partially gone too. Is this project just about getting some cross-cutting concerns into the init system and having better scheduling of service startup?

[1] https://www.freedesktop.org/software/systemd/man/latest/daem...

matu3ba 4/3/2025||

How does it compare to dinit, which is usable in Linuxes, BSDs and default used by Chimera Linux? The goals look identical, see Introduction at https://github.com/davmac314/dinit.

ajross 4/3/2025||

Yeah... I wouldn't dare touch this. Probably the worst possible thing to happen to systemd would be a fork. It's an extremely complicated suite of software operating at a maximally exposed security context, and it's all but guaranteed that the small cadre of volunteers doing what amounts to a *BSD port aren't going to understand it deeply enough.

Pick the parts you want in your BSD and clone it. Don't port.

wkat4242 4/5/2025|

Trust me we in BSD don't want it anyway. If we wanted Linuxisms we would have used... Linux.

It's not just systemd that is a linuxism, but it relies heavily on other linuxisms like dbus. Which does work on BSD, sure. But it shouldn't be part of the core system which an init daemon obviously is.

Vilian 4/3/2025||

the advantage of systemd is the company backing, almost noone gonna donate for their init system, or their timezone system, or the network etc.., donating to their desktop enviroment is hard enough, but because all of that is inside systemd, with company backing, it's a good tradeoff, and people can donate directly to all the project instead of only one software

wkat4242 4/5/2025||

I'm running FreeBSD but I'm not exactly waiting for this to be included there, especially the way it was done on Linux (as the only option without any fallback)

What I like about FreeBSD is the rc.local idea which is a bit like Nix.

vermaden 4/5/2025||

As FreeBSD UNIX user and sysadmin for about 20 years now - FreeBSD importing some systemd(1) fork is the LAST thing I want to see in the FreeBSD land.

In other words - to make it simple - get the fuck out of my lawn with that shit.

actionfromafar 4/3/2025||

This is great!

betimsl 4/3/2025||

Uhoh! -- The virus just spread a litl more!

ConanRus 4/3/2025|

yeah all we need is another systemd

More comments...