selinux hasn't been running for over a week
Stephen Smalley
sds at tycho.nsa.gov
Fri Sep 18 14:05:04 UTC 2009
On Fri, 2009-09-18 at 10:01 -0400, Steve Grubb wrote:
> On Friday 18 September 2009 09:54:12 am Daniel J Walsh wrote:
> > >> If the kernel has SELinux and it is not in permissive mode, it should
> > >> execute load_policy
> >
> > Yes in permissive mode load_policy will return 2 if it can not load policy.
> > I guess dracut should also look in /etc/selinux/config to see if the
> > SELINUX environment variable is not set to enforcing.
>
> What about interaction with the kernel command line? What the kernel was given
> is listed in /proc/cmdline. iow, if I boot with selinux=0 and the config says
> enabled, shouldn't the kernel command line take priority?
That all gets taken care of inside of libselinux
selinux_init_load_policy() function, which is what load_policy calls.
>
> > > You mean if the machine is in permissive mode, it should load_policy, but
> > > not crash. But it should log the reason so it can be debugged.
> > >
> > >> Load_policy will exit with 0 on success or 2 on failure and SELinux in
> > >> permissive mode.
> > >
> > > And if chroot fails, we need to handle it.
> >
> > This will probably crash anyways
>
> In the code I looked at, only if it returned 3...
load_policy exits with 3 if the load policy failed and the system was
supposed to be in enforcing mode (based on the combination of kernel
command line arguments, which do take precedence, and
the /etc/selinux/config setting). It exits with 2 if the load policy
failed and the system was supposed to be permissive.
--
Stephen Smalley
National Security Agency
More information about the fedora-devel-list
mailing list