I have actually tried both. The way it's usually done is through a patched init, which used to work some time ago (I don't remember which version of the kernel, the policy and the SELinux-tools/-libraries I used then, as everything always is being updated and I worked on a lot of other stuff in between). I also tried the approach Fedora uses, pretty much taking apart their initrd and reimplementing the load_policy-command from nash into a seperate program as I had trouble compiling nash). I got it partially working later, but not in the way I used to do it and not the way it's supposed to be. So, as said, the it's supposed to be is a patched init, although I could live with doing it in my initramfs (I use that instead of an initrd, but it's basically the same anyway). Still I find it quite confusing that the policy gets loaded when I set SELinux to enforcing, but not when I set it to permissive. On Wednesday 20 May 2009 19:46:49 you wrote: > On Wed, 2009-05-20 at 09:21 +0200, Dennis Wronka wrote: > > Hello folks, > > > > currently I am experiencing quite a strange problem during system-boot. > > The problem is that the policy only gets loaded when I boot into > > enforcing-mode. Booting into permissive mode (doesn't matter if via > > kernel-parameter or config-file) does not load the policy at all. > > > > I am using Kernel 2.6.29.3 and Reference Policy 2.20081210. > > Did anything change in the latest kernel or policy that triggers this? Is > > it possible to create a policy that cannot be loaded in permissive mode? > > > > Any help or suggestion would be great. > > What mechanism are you using to perform the initial policy load (Fedora > originally patched /sbin/init then migrated to performing the load from > the initrd; Ubuntu does the load from initrd but in a different manner; > Debian still uses a patched init I believe)? > > Can you post the logic for your initial policy load, whether it is a > patch to /sbin/init or an initrd script?
Attachment:
signature.asc
Description: This is a digitally signed message part.
