selinux hasn't been running for over a week

[Daniel J Walsh]

On 09/18/2009 10:05 AM, Stephen Smalley wrote:
> On Fri, 2009-09-18 at 10:01 -0400, Steve Grubb wrote:
>> On Friday 18 September 2009 09:54:12 am Daniel J Walsh wrote:
>>>>> If the kernel has SELinux and it is not in permissive mode, it should
>>>>>  execute load_policy
>>>
>>> Yes in permissive mode load_policy will return 2 if it can not load policy.
>>> I guess dracut should also look in /etc/selinux/config to see if the
>>>  SELINUX  environment variable is not set to enforcing.
>>
>> What about interaction with the kernel command line? What the kernel was given 
>> is listed in /proc/cmdline. iow, if I boot with selinux=0 and the config says 
>> enabled, shouldn't the kernel command line take priority?
> 
> That all gets taken care of inside of libselinux
> selinux_init_load_policy() function, which is what load_policy calls.
> 
>>
>>>> You mean if the machine is in permissive mode, it should load_policy, but
>>>> not  crash. But it should log the reason so it can be debugged.
>>>>
>>>>> Load_policy will exit with 0 on success or 2 on failure and SELinux in
>>>>>  permissive mode.
>>>>
>>>> And if chroot fails, we need to handle it.
>>>
>>> This will probably crash anyways
>>
>> In the code I looked at, only if it returned 3...
> 
> load_policy exits with 3 if the load policy failed and the system was
> supposed to be in enforcing mode (based on the combination of kernel
> command line arguments, which do take precedence, and
> the /etc/selinux/config setting).  It exits with 2 if the load policy
> failed and the system was supposed to be permissive.
>  
Right but what happens if load_policy is called with the wrong parameter?
What happens if load_policy can not be called because of permission denied?