Just an idea: Wouldn't it be possible to split CONFIG_SECURITY_SELINUX_DEVELOP into two options, pretty much like CONFIG_SECURITY_SELINUX_BOOTPARAM and CONFIG_SECURITY_SELINUX_DISABLE? I like the idea because it would prevent somebody that has physical access to set SELinux to permissive (and thus practically disabling its protection) on boot, but still keep the option for root (either as sysadm_r or, preferably, as secadm_r) to switch to permissive mode after boot. On Wednesday 20 May 2009 22:59:13 Stephen Smalley wrote: > On Wed, 2009-05-20 at 22:57 +0800, Dennis Wronka wrote: > > Okay, here we go: > > > > I unmounted /selinux and then got this: > > load_policy: Can't load policy: Invalid argument > > > > I attached my kernel-config and the two traces (trace1 for the "Device or > > resource busy"-error, trace2 for the "Invalid argument"-error). > > Ahem. Your kernel config has these SELinux options: > CONFIG_SECURITY_SELINUX=y > # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set > # CONFIG_SECURITY_SELINUX_DISABLE is not set > # CONFIG_SECURITY_SELINUX_DEVELOP is not set > CONFIG_SECURITY_SELINUX_AVC_STATS=y > CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1 > # CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set > > Note that your kernel config does not support: > 1) The selinux= kernel boot parameter > (CONFIG_SECURITY_SELINUX_BOOTPARAM), > 2) The ability to disable SELinux from /sbin/init based on > SELINUX=disabled in /etc/selinux/config > (CONFIG_SECURITY_SELINUX_DISABLE), > 3) Permissive mode (CONFIG_SECURITY_SELINUX_DEVELOP) > > Is that what you intended? IOW, you cannot boot permissive, and the > load policy logic is failing when it tries to switch to permissive mode > (write to /selinux/enforce).
Attachment:
signature.asc
Description: This is a digitally signed message part.
