Re: selinux hasn't been running for over a week

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 09/18/2009 10:01 AM, Steve Grubb wrote:
> On Friday 18 September 2009 09:54:12 am Daniel J Walsh wrote:
>>>> If the kernel has SELinux and it is not in permissive mode, it should
>>>>  execute load_policy
>>
>> Yes in permissive mode load_policy will return 2 if it can not load policy.
>> I guess dracut should also look in /etc/selinux/config to see if the
>>  SELINUX  environment variable is not set to enforcing.
> 
> What about interaction with the kernel command line? What the kernel was given 
> is listed in /proc/cmdline. iow, if I boot with selinux=0 and the config says 
> enabled, shouldn't the kernel command line take priority?
> 
> 
Yes kernel command line wins.

Second is /etc/selinux/config (SELINUX) line

Execute the kernel command line to initialize the 
selinux and enforcing environment variables.  cmdline options are (selinux=0 to disable SELinux) (enforcing=0 to put selinux in permissive mode)


then dracut should execute
. /etc/selinux/config
if [ "$selinux" != 0 && "$enforcing" != 0 &&  "$SELINUX" == "enforcing" ]; then 
	load_policy
	if $? != 0; ReportError() && blow up
elif [ ""$selinux" != 0 && ("$enforcing" == 0 || $SELINUX" == "permissive") ]; then 
	load_policy
	if $? != 0; ReportError()
	# Continue no matter what
elif  [ "$selinux == 0" || "$enforcing" == 0 || "$SELINUX" == "disabled" ]; then 
	# Continue no matter what, although it would nice to tell the kernel to drop SELinux support
elif  
	Report_error()
	Blow Up
endif


>>> You mean if the machine is in permissive mode, it should load_policy, but
>>> not  crash. But it should log the reason so it can be debugged.
>>>
>>>> Load_policy will exit with 0 on success or 2 on failure and SELinux in
>>>>  permissive mode.
>>>
>>> And if chroot fails, we need to handle it.
>>
>> This will probably crash anyways
> 
> In the code I looked at, only if it returned 3...
> 
> -Steve 

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux