So in libselinux/src/load_policy.c:selinux_init_load_policy(), it says:
/*
* Determine the final desired mode.
* Command line argument takes precedence, then config file.
*/
if (secmdline >= 0)
*enforce = secmdline;
else if (seconfig >= 0)
*enforce = seconfig;
else
*enforce = 0; /* unspecified or disabled */
But then a few lines later, we have:
if (seconfig == -1) {
/* Runtime disable of SELinux. */
rc = security_disable();
[etc.]
...so if the config file says "disabled", SELinux is disabled
*regardless* of the command line argument.
Is that intentional, or is that a bug? Maybe that test should read:
if ((seconfig == -1) && (secmdline <= -1)) {
Any ideas?
-w
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
