On Fri, 2009-09-18 at 10:16 -0400, Daniel J Walsh wrote: > On 09/18/2009 10:05 AM, Stephen Smalley wrote: > > On Fri, 2009-09-18 at 10:01 -0400, Steve Grubb wrote: > >> On Friday 18 September 2009 09:54:12 am Daniel J Walsh wrote: > >>>>> If the kernel has SELinux and it is not in permissive mode, it should > >>>>> execute load_policy > >>> > >>> Yes in permissive mode load_policy will return 2 if it can not load policy. > >>> I guess dracut should also look in /etc/selinux/config to see if the > >>> SELINUX environment variable is not set to enforcing. > >> > >> What about interaction with the kernel command line? What the kernel was given > >> is listed in /proc/cmdline. iow, if I boot with selinux=0 and the config says > >> enabled, shouldn't the kernel command line take priority? > > > > That all gets taken care of inside of libselinux > > selinux_init_load_policy() function, which is what load_policy calls. > > > >> > >>>> You mean if the machine is in permissive mode, it should load_policy, but > >>>> not crash. But it should log the reason so it can be debugged. > >>>> > >>>>> Load_policy will exit with 0 on success or 2 on failure and SELinux in > >>>>> permissive mode. > >>>> > >>>> And if chroot fails, we need to handle it. > >>> > >>> This will probably crash anyways > >> > >> In the code I looked at, only if it returned 3... > > > > load_policy exits with 3 if the load policy failed and the system was > > supposed to be in enforcing mode (based on the combination of kernel > > command line arguments, which do take precedence, and > > the /etc/selinux/config setting). It exits with 2 if the load policy > > failed and the system was supposed to be permissive. > > > Right but what happens if load_policy is called with the wrong parameter? > What happens if load_policy can not be called because of permission denied? I'm not entirely clear as to why you are asking, but: $ load_policy --foo load_policy: invalid option -- '-' usage: load_policy [-qi] $ echo $? 1 $ runcon system_u:system_r:httpd_t:s0 load_policy runcon: load_policy: Permission denied $ echo $? 126 Are you just saying that dracut needs to fail closed (i.e. halt the system) if the exit code is anything other than 0 (success) or 2 (failed but permissive)? -- Stephen Smalley National Security Agency -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
