On Thu, 20.02.14 18:17, Colin Walters (walters@xxxxxxxxxx) wrote:
Hmm, maybe a simple check access("/etc/selinux/", F_OK) would be enough?
There's no point in trying to initialized SELinux if that dir does not
exist, right? Then we could simply bypass the whole thing...
> On Thu, Feb 20, 2014 at 1:06 PM, Stephen Smalley <sds@xxxxxxxxxxxxx>
> wrote:
> >
> >Wouldn't it be better (and more correct) to probe both the
> >initramfs and
> >the real root, and if neither one can load policy successfully and
> >enforcing=1, then halt?
> >
> So you're saying we should handle -ENOENT specially in the
> initramfs? Something like being sure we preserve errno and
> returning it to the caller of selinux_init_load_policy()? That
> would introduce a subtle version dependency.
>
> Or alternatively, just try in the initramfs, ignore any errors, and
> only abort if we also fail to load in the real root?
>
> I think both of these (particularly the second) are worse than my
> patch - we don't (to my knowledge) support putting policy in the
> initramfs now with Fedora or Red Hat Enterprise Linux, so attempting
> to find it there by default on every bootup is wrong.
>
> To turn it around, what is the possible value in also probing the
> initramfs? Does anyone out there load policy from it with systemd?
>
> _______________________________________________
> systemd-devel mailing list
> systemd-devel@xxxxxxxxxxxxxxxxxxxxx
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Lennart
--
Lennart Poettering, Red Hat
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
