selinux hasn't been running for over a week
Daniel J Walsh
dwalsh at redhat.com
Fri Sep 18 14:16:47 UTC 2009
On 09/18/2009 10:05 AM, Stephen Smalley wrote:
> On Fri, 2009-09-18 at 10:01 -0400, Steve Grubb wrote:
>> On Friday 18 September 2009 09:54:12 am Daniel J Walsh wrote:
>>>>> If the kernel has SELinux and it is not in permissive mode, it should
>>>>> execute load_policy
>>>
>>> Yes in permissive mode load_policy will return 2 if it can not load policy.
>>> I guess dracut should also look in /etc/selinux/config to see if the
>>> SELINUX environment variable is not set to enforcing.
>>
>> What about interaction with the kernel command line? What the kernel was given
>> is listed in /proc/cmdline. iow, if I boot with selinux=0 and the config says
>> enabled, shouldn't the kernel command line take priority?
>
> That all gets taken care of inside of libselinux
> selinux_init_load_policy() function, which is what load_policy calls.
>
>>
>>>> You mean if the machine is in permissive mode, it should load_policy, but
>>>> not crash. But it should log the reason so it can be debugged.
>>>>
>>>>> Load_policy will exit with 0 on success or 2 on failure and SELinux in
>>>>> permissive mode.
>>>>
>>>> And if chroot fails, we need to handle it.
>>>
>>> This will probably crash anyways
>>
>> In the code I looked at, only if it returned 3...
>
> load_policy exits with 3 if the load policy failed and the system was
> supposed to be in enforcing mode (based on the combination of kernel
> command line arguments, which do take precedence, and
> the /etc/selinux/config setting). It exits with 2 if the load policy
> failed and the system was supposed to be permissive.
>
Right but what happens if load_policy is called with the wrong parameter?
What happens if load_policy can not be called because of permission denied?
More information about the fedora-devel-list
mailing list