On Fri, 2009-09-18 at 10:01 -0400, Steve Grubb wrote: > On Friday 18 September 2009 09:54:12 am Daniel J Walsh wrote: > > >> If the kernel has SELinux and it is not in permissive mode, it should > > >> execute load_policy > > > > Yes in permissive mode load_policy will return 2 if it can not load policy. > > I guess dracut should also look in /etc/selinux/config to see if the > > SELINUX environment variable is not set to enforcing. > > What about interaction with the kernel command line? What the kernel was given > is listed in /proc/cmdline. iow, if I boot with selinux=0 and the config says > enabled, shouldn't the kernel command line take priority? That all gets taken care of inside of libselinux selinux_init_load_policy() function, which is what load_policy calls. > > > > You mean if the machine is in permissive mode, it should load_policy, but > > > not crash. But it should log the reason so it can be debugged. > > > > > >> Load_policy will exit with 0 on success or 2 on failure and SELinux in > > >> permissive mode. > > > > > > And if chroot fails, we need to handle it. > > > > This will probably crash anyways > > In the code I looked at, only if it returned 3... load_policy exits with 3 if the load policy failed and the system was supposed to be in enforcing mode (based on the combination of kernel command line arguments, which do take precedence, and the /etc/selinux/config setting). It exits with 2 if the load policy failed and the system was supposed to be permissive. -- Stephen Smalley National Security Agency -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
