Re: [redhat-lspp] Behavior on load_policy failure

[Linda Knippers <linda knippers hp com>]

I think the expectation is that one would boot into single user mode
with SELinux either off or in permissive mode (which sounds like the same
thing if the policy won't load), fix the problem and then reboot.
You would never want to go into multiuser mode until the problem is
repaired.

Passing kernel flags isn't user friendly but this is also something
that shouldn't happen, especially on an evaluated configuration.
Famous last words, I suppose.

-- ljk

Eduardo Madeira Fleury wrote:
> Hi all,
> 
> I'm currently testing what happens when Init detects a load_policy error. The 
> results I have so far are:
> 
> == Booting in Enforcing Mode -> The system panics.
> 
> == Booting in Permissive Mode -> The system boots fine but with SELinux 
> completely disabled in such a way it's not possible to simply setenforce to 1
> 
> == Booting in Disabled Mode -> Boots fine with SELinux disabled of course.
> 
> What I would like to point though is that this way the system does not provide 
> an automatic "Recover Mode" as specified in the Security Target section 
> 19.1.2.3 Manual Recovery (FPT_RCV.1).
> 
> Currently the system admin is required to modify boot parameters manually to 
> boot in Permissive or Disabled mode, repair the system and then boot it back 
> in Enforcing mode, but simply booting in Permissive mode is a potential 
> security risk as the system would still be in multiuser mode.
> 
> It's important to require that in case of a load_policy failure the system 
> admin boot the system in Permissive mode **but also in single mode**.
> 
> Besides that, passing kernel arguments in boot time is not user friendly.
> 
> Anyway, I'd like to check if this behavior is the one expected.
> 
> Regards,