Re: [RFC] change policy loading to initramfs

[Stephen Smalley <sds tycho nsa gov>]

On Wed, 2008-01-23 at 18:00 -0800, John Reiser wrote:
> Bill Nottingham wrote:
> > The snippet you quoted *does* print strerror(errno)... there are
> > various other errors that the SELinux routines catch, but they
> > aren't propagated up in any way that that patch could catch.
> 
> So it looks like the message for a missing file might be:
>    Unable to load SELinux policy (No such file or directory). Halting now.
> 
> This is exactly what happened to me in F8, and it was horrible:
>    https://bugzilla.redhat.com/show_bug.cgi?id=343861
> The ultimate cause was a bug in pungi:
>    https://bugzilla.redhat.com/show_bug.cgi?id=343851
> but the error was not discovered until install time (anaconda),
> and the error message did not give the name of [any] missing file.
> 
> It is unacceptable to say "No such file or directory" unless
> it also gives the full literal name of some such file that was
> sought, and could have been used (if present and correctly formatted, etc.)
> 
> The missing filename turned out to be:
>    /etc/selinux/targeted/policy/policy.21
> 
> *IF* that filename had appeared with the original message:
>    Can't load policy: no such file or directory
> then it would have been *very* much easier to debug and fix.

To do that, we'd need to modify the libselinux selinux_mkload_policy
function rather than the caller, as the libselinux function encapsulates
the policy file location these days.  Certainly doable, just needs a
patch to report that info on a failure.

-- 
Stephen Smalley
National Security Agency