selinux hasn't been running for over a week

Stephen Smalley sds at tycho.nsa.gov
Fri Sep 18 13:44:24 UTC 2009 

On Fri, 2009-09-18 at 09:17 -0400, Daniel J Walsh wrote:
> On 09/18/2009 08:35 AM, Stephen Smalley wrote:
> > On Fri, 2009-09-18 at 07:34 -0400, Daniel J Walsh wrote:
> >> On 09/17/2009 09:39 PM, Yuan Yijun wrote:
> >>> 2009/9/18 Steve Grubb <sgrubb at redhat.com>:
> >>>> hi,
> >>>>
> >>>> What's happened in our rawhide boot sequence that cause selinux to not be
> >>>> running anymore? Selinux is not disabled in the grub.conf kernel line and
> >>>> sestatus shows its disabled. There is nothing in the system logs saying that
> >>>> there was a problem.
> >>>>
> >>>
> >>> I encountered this problem as well, but don't know why. It happens
> >>> when I am trying different kernels among some recent builds (starting
> >>> from 0.104 to 1.14). I guess there is a incompatible between older
> >>> kernels and the policy; when you install a kernel while SELinux is
> >>> disabled, it may cause future problems. Do you expect SELinux to be
> >>> enabled automatically? I usually enable SELinux by doing a relabel,
> >>> then install the kernel again.
> >>>
> >>>
> >>>
> >> Hopefully this is just a problem of coordination between the old way of doing things and the new new. 
> >> Dracut found a bug where it could not load_policy on separate /usr partitions because it needed to execute
> >> /usr/sbin/load_policy (obviously).  I moved load_policy from /usr/sbin to /sbin. This caused some other apps
> >> problems because they were hard coded to look for /usr/sbin.  Recently I fixed this by adding a symbolic link
> >> and fixing the libraries that blew up.
> > 
> > Why can't dracut just directly invoke the libselinux interface
> > (selinux_init_load_policy)?  Then you don't have to care where the
> > load_policy program lives.
> > 
> The beauty of load_policy is that we don't end up having to suck the libsemanage and friends into the initrd.
> 
> I think it is much saner then what we were doing in F11.

Oh, I didn't realize that you had changed approaches.  That makes Fedora
more like Ubuntu's approach to handling initial policy load.

FWIW, Debian is planning to patch upstart to load policy the way
sysvinit used to do it.  Then they don't require an initrd to perform
the initial policy load.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-devel-list mailing list