On 02/20/2014 10:42 AM, Colin Walters wrote: > Currently on at least Fedora, SELinux policy does not come in > the initramfs. systemd will attempt to load *both* in the > initramfs and in the real root. > > Now, the selinux_init_load_policy() API has a regular error return > value, as well as an "enforcing" boolean. To determine enforcing > state, it looks for /etc/selinux/config as well as the presence > of "enforcing=" on the kernel command line. > > Ordinarily, neither of those exist in the initramfs, so it will return > "unknown" for enforcing, and systemd will simply ignore the failure to > load policy. > > Then later after we switch to the real root, we have the config file, > and all will work properly. > > Except...this all blows up if someone explicitly specifies enforcing=1 > on the kernel command line. Then systemd will fail to load the > nonexistent policy in the initramfs and freeze. > > What this patch does is quite simple - we add an internal API that > says where we expect to find policy, and attempt to load it exactly > from there. Right now since I'm not aware of anyone who does > policy-in-initramfs, this function is hardcoded to return false. > > Lots-of-very-painful-debugging-by: Colin Walters <walters@xxxxxxxxxx> > --- > src/core/main.c | 6 ++++-- > src/core/selinux-setup.c | 10 ++++++++++ > src/core/selinux-setup.h | 2 ++ > 3 files changed, 16 insertions(+), 2 deletions(-) Wouldn't it be better (and more correct) to probe both the initramfs and the real root, and if neither one can load policy successfully and enforcing=1, then halt? _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
