[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [RFC] change policy loading to initramfs

From: Bill Nottingham <notting redhat com>
To: Chad Sellers <csellers tresys com>
Cc: Peter Jones <pjones redhat com>, fedora-selinux-list redhat com
Subject: Re: [RFC] change policy loading to initramfs
Date: Thu, 24 Jan 2008 16:34:00 -0500

Chad Sellers (csellers tresys com) said: 
> A good point. I handle this (in my script from the other post) by only dying
> if the return code is 3 (meaning we're supposed to be enforcing and loading
> policy failed). I didn't consider all the error conditions due to chroot
> itself. I believe the list of return codes to consider (thanks to Steve) is:
> 
> chroot:
> 0 success
> 1 (various failures, including usage, failure to chroot, failure to
> chdir)
> 126 (any failure on exec except for ENOENT)
> 127 (ENOENT on the exec, i.e. couldn't find load_policy)
> 
> load_policy -i:
> 0 success
> 1 usage
> 2 can't load policy but proceed
> 3 can't load policy and die
> 
> The security guy in me says die on ay return value besides 0 or 2, but
> that's probably too draconian. At the very least, we should continue on 127
> (if load_policy is not installed).
> 
> Thoughts?

If load_policy isn't installed, you want to proceed. If chroot outright
fails, you'll almost certainly fail later in your boot anyway, so I don't
know if you need to explicitly handle that.

Bill

References:
- Re: [RFC] change policy loading to initramfs
  - From: Bill Nottingham
- Re: [RFC] change policy loading to initramfs
  - From: Chad Sellers

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]