On 09/18/2009 10:27 AM, Stephen Smalley wrote:
> On Fri, 2009-09-18 at 10:15 -0400, Daniel J Walsh wrote:
>> On 09/18/2009 10:01 AM, Steve Grubb wrote:
>>> On Friday 18 September 2009 09:54:12 am Daniel J Walsh wrote:
>>>>>> If the kernel has SELinux and it is not in permissive mode, it should
>>>>>> execute load_policy
>>>>
>>>> Yes in permissive mode load_policy will return 2 if it can not load policy.
>>>> I guess dracut should also look in /etc/selinux/config to see if the
>>>> SELINUX environment variable is not set to enforcing.
>>>
>>> What about interaction with the kernel command line? What the kernel was given
>>> is listed in /proc/cmdline. iow, if I boot with selinux=0 and the config says
>>> enabled, shouldn't the kernel command line take priority?
>>>
>>>
>> Yes kernel command line wins.
>>
>> Second is /etc/selinux/config (SELINUX) line
>>
>> Execute the kernel command line to initialize the
>> selinux and enforcing environment variables. cmdline options are (selinux=0 to disable SELinux) (enforcing=0 to put selinux in permissive mode)
>>
>>
>> then dracut should execute
>> . /etc/selinux/config
>> if [ "$selinux" != 0 && "$enforcing" != 0 && "$SELINUX" == "enforcing" ]; then
>> load_policy
>> if $? != 0; ReportError() && blow up
>> elif [ ""$selinux" != 0 && ("$enforcing" == 0 || $SELINUX" == "permissive") ]; then
>> load_policy
>> if $? != 0; ReportError()
>> # Continue no matter what
>> elif [ "$selinux == 0" || "$enforcing" == 0 || "$SELINUX" == "disabled" ]; then
>> # Continue no matter what, although it would nice to tell the kernel to drop SELinux support
>> elif
>> Report_error()
>> Blow Up
>> endif
>
> You mean load_policy -i, right? That's the initial policy load that
> happens at boot.
>
Yes sorry, I was just trying to write this up in pseudo code, "load_policy -i" is required.
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
