On Fri, Sep 23, 2011 at 3:09 PM, Guido Trentalancia <guido@xxxxxxxxxxxxxxxx> wrote: > On Fri, 2011-09-23 at 13:38 -0400, Daniel J Walsh wrote: > Yes, very good. At the end, a very polite message is not the first > priority in such as situation... > > But unfortunately this is not the case for the upstream bits. > > Ideally should be tackled in the SELinux kernel code. Did RHEL and > Fedora patch the kernel then to achieve that ? No we consider init to be part of the trusted base required to load policy. The Fedora init (systemd not, but it's been old init, some scripts in the initramfs, and who know what else) tries to load policy and if it can't and it was supposed to be enforcing will either print and error and halt for a really long time and then exit, or exit directly. init exiting is enough to make the kernel panic and thus shut down the box. The tool that is trusted to load the policy is what needs to make this check. -Eric -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
