selinux hasn't been running for over a week
Stephen Smalley
sds at tycho.nsa.gov
Fri Sep 18 14:27:54 UTC 2009
On Fri, 2009-09-18 at 10:15 -0400, Daniel J Walsh wrote:
> On 09/18/2009 10:01 AM, Steve Grubb wrote:
> > On Friday 18 September 2009 09:54:12 am Daniel J Walsh wrote:
> >>>> If the kernel has SELinux and it is not in permissive mode, it should
> >>>> execute load_policy
> >>
> >> Yes in permissive mode load_policy will return 2 if it can not load policy.
> >> I guess dracut should also look in /etc/selinux/config to see if the
> >> SELINUX environment variable is not set to enforcing.
> >
> > What about interaction with the kernel command line? What the kernel was given
> > is listed in /proc/cmdline. iow, if I boot with selinux=0 and the config says
> > enabled, shouldn't the kernel command line take priority?
> >
> >
> Yes kernel command line wins.
>
> Second is /etc/selinux/config (SELINUX) line
>
> Execute the kernel command line to initialize the
> selinux and enforcing environment variables. cmdline options are (selinux=0 to disable SELinux) (enforcing=0 to put selinux in permissive mode)
>
>
> then dracut should execute
> . /etc/selinux/config
> if [ "$selinux" != 0 && "$enforcing" != 0 && "$SELINUX" == "enforcing" ]; then
> load_policy
> if $? != 0; ReportError() && blow up
> elif [ ""$selinux" != 0 && ("$enforcing" == 0 || $SELINUX" == "permissive") ]; then
> load_policy
> if $? != 0; ReportError()
> # Continue no matter what
> elif [ "$selinux == 0" || "$enforcing" == 0 || "$SELINUX" == "disabled" ]; then
> # Continue no matter what, although it would nice to tell the kernel to drop SELinux support
> elif
> Report_error()
> Blow Up
> endif
You mean load_policy -i, right? That's the initial policy load that
happens at boot.
--
Stephen Smalley
National Security Agency
More information about the fedora-devel-list
mailing list