selinux hasn't been running for over a week

Stephen Smalley sds at tycho.nsa.gov
Fri Sep 18 14:27:54 UTC 2009


On Fri, 2009-09-18 at 10:15 -0400, Daniel J Walsh wrote:
> On 09/18/2009 10:01 AM, Steve Grubb wrote:
> > On Friday 18 September 2009 09:54:12 am Daniel J Walsh wrote:
> >>>> If the kernel has SELinux and it is not in permissive mode, it should
> >>>>  execute load_policy
> >>
> >> Yes in permissive mode load_policy will return 2 if it can not load policy.
> >> I guess dracut should also look in /etc/selinux/config to see if the
> >>  SELINUX  environment variable is not set to enforcing.
> > 
> > What about interaction with the kernel command line? What the kernel was given 
> > is listed in /proc/cmdline. iow, if I boot with selinux=0 and the config says 
> > enabled, shouldn't the kernel command line take priority?
> > 
> > 
> Yes kernel command line wins.
> 
> Second is /etc/selinux/config (SELINUX) line
> 
> Execute the kernel command line to initialize the 
> selinux and enforcing environment variables.  cmdline options are (selinux=0 to disable SELinux) (enforcing=0 to put selinux in permissive mode)
> 
> 
> then dracut should execute
> . /etc/selinux/config
> if [ "$selinux" != 0 && "$enforcing" != 0 &&  "$SELINUX" == "enforcing" ]; then 
> 	load_policy
> 	if $? != 0; ReportError() && blow up
> elif [ ""$selinux" != 0 && ("$enforcing" == 0 || $SELINUX" == "permissive") ]; then 
> 	load_policy
> 	if $? != 0; ReportError()
> 	# Continue no matter what
> elif  [ "$selinux == 0" || "$enforcing" == 0 || "$SELINUX" == "disabled" ]; then 
> 	# Continue no matter what, although it would nice to tell the kernel to drop SELinux support
> elif  
> 	Report_error()
> 	Blow Up
> endif

You mean load_policy -i, right?  That's the initial policy load that
happens at boot.

-- 
Stephen Smalley
National Security Agency




More information about the fedora-devel-list mailing list