On 09/18/2009 10:01 AM, Steve Grubb wrote:
> On Friday 18 September 2009 09:54:12 am Daniel J Walsh wrote:
>>>> If the kernel has SELinux and it is not in permissive mode, it should
>>>> execute load_policy
>>
>> Yes in permissive mode load_policy will return 2 if it can not load policy.
>> I guess dracut should also look in /etc/selinux/config to see if the
>> SELINUX environment variable is not set to enforcing.
>
> What about interaction with the kernel command line? What the kernel was given
> is listed in /proc/cmdline. iow, if I boot with selinux=0 and the config says
> enabled, shouldn't the kernel command line take priority?
>
>
Yes kernel command line wins.
Second is /etc/selinux/config (SELINUX) line
Execute the kernel command line to initialize the
selinux and enforcing environment variables. cmdline options are (selinux=0 to disable SELinux) (enforcing=0 to put selinux in permissive mode)
then dracut should execute
. /etc/selinux/config
if [ "$selinux" != 0 && "$enforcing" != 0 && "$SELINUX" == "enforcing" ]; then
load_policy
if $? != 0; ReportError() && blow up
elif [ ""$selinux" != 0 && ("$enforcing" == 0 || $SELINUX" == "permissive") ]; then
load_policy
if $? != 0; ReportError()
# Continue no matter what
elif [ "$selinux == 0" || "$enforcing" == 0 || "$SELINUX" == "disabled" ]; then
# Continue no matter what, although it would nice to tell the kernel to drop SELinux support
elif
Report_error()
Blow Up
endif
>>> You mean if the machine is in permissive mode, it should load_policy, but
>>> not crash. But it should log the reason so it can be debugged.
>>>
>>>> Load_policy will exit with 0 on success or 2 on failure and SELinux in
>>>> permissive mode.
>>>
>>> And if chroot fails, we need to handle it.
>>
>> This will probably crash anyways
>
> In the code I looked at, only if it returned 3...
>
> -Steve
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
