On Fri, 2011-09-23 at 16:45 -0400, Eric Paris wrote: > On Fri, Sep 23, 2011 at 3:09 PM, Guido Trentalancia > <guido@xxxxxxxxxxxxxxxx> wrote: > > On Fri, 2011-09-23 at 13:38 -0400, Daniel J Walsh wrote: > > > Yes, very good. At the end, a very polite message is not the first > > priority in such as situation... > > > > But unfortunately this is not the case for the upstream bits. > > > > Ideally should be tackled in the SELinux kernel code. Did RHEL and > > Fedora patch the kernel then to achieve that ? > > No we consider init to be part of the trusted base required to load > policy. The Fedora init (systemd not, but it's been old init, some > scripts in the initramfs, and who know what else) tries to load policy > and if it can't and it was supposed to be enforcing will either print > and error and halt for a really long time and then exit, or exit > directly. init exiting is enough to make the kernel panic and thus > shut down the box. > > The tool that is trusted to load the policy is what needs to make this check. What really confuses me at this point is the fact that within this specific thread, Justin said that he was using Fedora (F15 as far as I remember). Anyway, apart from the specific case, it remains the fact that the upstream SELinux + reference policy combo does allow the system to keep running (in the wrong context, i.e. kernel_t or insmod_t) despite init has not transitioned to its context after initial stage. I am not particularly keen on this behavior. You seem to suggest that load_policy -i (and not the kernel) should make sure that init has transitioned to its designated context... So then, getting back to the specific case at hand, my question becomes: "did Fedora and RHEL patch the upstream load_policy tool to achieve this halt-on-init-failure behavior ?". In any case, how comes this check didn't work on Justin's system ? Regards, Guido -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
