Hello,
I just tried to boot a selinux installation in the plain old way (ie.
without initramfs) and it seems there is a bug in the init mechanism.
Sysvinit has a
#ifdef WITH_SELINUX
if (getenv("SELINUX_INIT") == NULL && !is_selinux_enabled()) {
putenv("SELINUX_INIT=YES");
if (selinux_init_load_policy(&enforce) == 0 ) {
execv(myname, argv);
whereas the is_selinux_enabled man page says "returns 1 if SELinux is
running or 0 if it is not.".
The problem is that init is the first process and at that very early
point neither /selinux nor /proc is mounted. The function uses these to
determine the state of things and if it can't it returns a -1, which is
an undocumented value and thus a value not accounted for.
So I think that either is_selinux_enabled should return 0 if it can't
tell (or use some other mechanism to tell), or -1 should be documented
in the man page and the sysvinit code should be changed to read
if (getenv("SELINUX_INIT") == NULL && (0 == is_selinux_enabled())) {
^^^^
Michal Svoboda
Attachment:
pgp6rYPLav30p.pgp
Description: PGP signature
