On Tue, 2004-06-29 at 10:03, Bob Gustafson wrote: > Hmm, that looks pretty useful. > > I wonder what it would have looked like with the wrong values in the > /etc/selinux/config? For the SELINUXTYPE=, there is no fixed set of legitimate values, because anyone might install their own "foo" policy under /etc/selinux. So with SELINUXTYPE=permissive, you would have just seen output like: policypath="/etc/selinux/permissive" default_type_path="/etc/selinux/permissive/contexts/default_type" ... > And to what effect? Since the "permissive" directory didn't exist, init wouldn't be able to load a policy. If enforcing, then init should have died immediately with an error. If permissive, it should have logged a warning and proceeded in permissive with no policy loaded. > I did not see any failures, but clearly I had the wrong values in my > /etc/selinux/config file: It likely wouldn't be captured in /var/log/messages, since this is happening _before_ syslogd is started. But there should be a message on the console (but I agree that I also do not see one, so this is a bug). -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
