Re: selinux hasn't been running for over a week

[Stephen Smalley <sds tycho nsa gov>]

On Fri, 2009-09-18 at 10:01 -0400, Steve Grubb wrote:
> On Friday 18 September 2009 09:54:12 am Daniel J Walsh wrote:
> > >> If the kernel has SELinux and it is not in permissive mode, it should
> > >>  execute load_policy
> > 
> > Yes in permissive mode load_policy will return 2 if it can not load policy.
> > I guess dracut should also look in /etc/selinux/config to see if the
> >  SELINUX  environment variable is not set to enforcing.
> 
> What about interaction with the kernel command line? What the kernel was given 
> is listed in /proc/cmdline. iow, if I boot with selinux=0 and the config says 
> enabled, shouldn't the kernel command line take priority?

That all gets taken care of inside of libselinux
selinux_init_load_policy() function, which is what load_policy calls.

> 
> > > You mean if the machine is in permissive mode, it should load_policy, but
> > > not  crash. But it should log the reason so it can be debugged.
> > >
> > >> Load_policy will exit with 0 on success or 2 on failure and SELinux in
> > >>  permissive mode.
> > > 
> > > And if chroot fails, we need to handle it.
> > 
> > This will probably crash anyways
> 
> In the code I looked at, only if it returned 3...

load_policy exits with 3 if the load policy failed and the system was
supposed to be in enforcing mode (based on the combination of kernel
command line arguments, which do take precedence, and
the /etc/selinux/config setting).  It exits with 2 if the load policy
failed and the system was supposed to be permissive.
 
-- 
Stephen Smalley
National Security Agency