Chad Sellers (csellers@xxxxxxxxxx) said: > A good point. I handle this (in my script from the other post) by only dying > if the return code is 3 (meaning we're supposed to be enforcing and loading > policy failed). I didn't consider all the error conditions due to chroot > itself. I believe the list of return codes to consider (thanks to Steve) is: > > chroot: > 0 success > 1 (various failures, including usage, failure to chroot, failure to > chdir) > 126 (any failure on exec except for ENOENT) > 127 (ENOENT on the exec, i.e. couldn't find load_policy) > > load_policy -i: > 0 success > 1 usage > 2 can't load policy but proceed > 3 can't load policy and die > > The security guy in me says die on ay return value besides 0 or 2, but > that's probably too draconian. At the very least, we should continue on 127 > (if load_policy is not installed). > > Thoughts? If load_policy isn't installed, you want to proceed. If chroot outright fails, you'll almost certainly fail later in your boot anyway, so I don't know if you need to explicitly handle that. Bill -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
