On 1/24/08 11:11 AM, "Bill Nottingham" <notting@xxxxxxxxxx> wrote: > Stephen Smalley (sds@xxxxxxxxxxxxx) said: >> Hmm...Chad Sellers was working on similar support for Ubuntu, but did it >> by adding a -i option to the load_policy program to perform an initial >> policy load so that you can just execute it from a script rather than >> requiring a direct patch to nash or anything else. cc'ing him. The >> load_policy -i support is upstream and should be in Fedora devel / >> rawhide too. > > This would still need to be done chroot()ed into the system (there's no > way to set the base path for filename resoution), correct? > Yes, I have to chroot to make this work. The current working initramfs script that I've been using in Ubuntu looks like this (at least the important parts): set +e chroot /root /usr/sbin/load_policy -i RET=$? if [ $RET -eq 3 ]; then echo "SELinux policy load failed and enforcing mode requested, halting now"; kill -INT 1; elif [ $RET -ne 0 ]; then echo "SELinux policy load failed, continuing"; fi So, I just call load_policy -i from a chroot, and then save off the return value. load_policy -i has a separate return value (3) if the system should halt (i.e. enforcing requested but policy load failed). If that occurs, I kill the initramfs init process. Note that Ubuntu uses busybox init for it's initrd, which seems quite buggy when it comes to signal handling. It apparently ignores SIGKILL, but dies on SIGINT. Eventually I plan to debug this further to figure out why this is the case and send a patch to the busybox guys, but I haven't had time yet. ---------------------- Chad Sellers csellers@xxxxxxxxxx http://www.tresys.com -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
