Re: init problem

[Daniel J Walsh <dwalsh@xxxxxxxxxx>]

On 03/07/2010 05:15 AM, Michal Svoboda wrote:
> Hello,
>
> I just tried to boot a selinux installation in the plain old way (ie.
> without initramfs) and it seems there is a bug in the init mechanism.
> Sysvinit has a
>
> #ifdef WITH_SELINUX
>          if (getenv("SELINUX_INIT") == NULL&&  !is_selinux_enabled()) {
>            putenv("SELINUX_INIT=YES");
>            if (selinux_init_load_policy(&enforce) == 0 ) {
>              execv(myname, argv);
>
> whereas the is_selinux_enabled man page says "returns 1 if SELinux is
> running or 0 if it is not.".
>
> The problem is that init is the first process and at that very early
> point neither /selinux nor /proc is mounted. The function uses these to
> determine the state of things and if it can't it returns a -1, which is
> an undocumented value and thus a value not accounted for.
>
> So I think that either is_selinux_enabled should return 0 if it can't
> tell (or use some other mechanism to tell), or -1 should be documented
> in the man page and the sysvinit code should be changed to read
>
>    if (getenv("SELINUX_INIT") == NULL&&  (0 == is_selinux_enabled())) {
>                                           ^^^^
>
> Michal Svoboda
>    
man is_selinux_enabled()
...
       is_selinux_enabled  returns  1 if SELinux is running or 0 if it 
is not.
       May change soon.
...
russell@xxxxxxxxxxxx            1 January 2004           
is_selinux_enabled(3)

I guess it depends on your definition of soon.

/usr/include/selinux/selinux.h  has

/* Return 1 if we are running on a SELinux kernel, or 0 if not or -1 if 
we get an error. */
extern int is_selinux_enabled(void);

Attached patch to fix man page.


diff --exclude-from=exclude -N -u -r nsalibselinux/man/man3/is_selinux_enabled.3 libselinux-2.0.92/man/man3/is_selinux_enabled.3
--- nsalibselinux/man/man3/is_selinux_enabled.3	2009-03-06 14:41:45.000000000 -0500
+++ libselinux-2.0.92/man/man3/is_selinux_enabled.3	2010-03-07 07:40:57.000000000 -0500
@@ -1,4 +1,4 @@
-.TH "is_selinux_enabled" "3" "1 January 2004" "russell@xxxxxxxxxxxx" "SELinux API documentation"
+.TH "is_selinux_enabled" "3" "7 Mar 2010" "russell@xxxxxxxxxxxx" "SELinux API documentation"
 .SH "NAME"
 is_selinux_enabled \- check whether SELinux is enabled
 
@@ -14,6 +14,7 @@
 .SH "DESCRIPTION"
 .B is_selinux_enabled
 returns 1 if SELinux is running or 0 if it is not. 
+On error, \-1 is returned.
 
 .B is_selinux_mls_enabled
 returns 1 if SELinux is running in MLS mode or 0 if it is not.