On 2015-09-23 13:23, Russell Coker wrote:
[...]
> To load the policy in the initrd you need to copy
> /etc/selinux/default/policy/policy.* and /usr/sbin/load_policy to the initrd
> and first mount /proc and the selinuxfs before loading the policy. It will be
> a little fiddly to setup (as does anything involving the initrd) but not any
> great challenge.
>
> Also it's unlikely that systemd has been tested in a situation where an initrd
> loads the policy. In case anyone wonders, I think it should be considered a
> bug if systemd or SysVInit fails to work when the policy was loaded in the
> initrd.
Thanks Russell!
Just a quick email to let you all know that with the below code in my
build script, I successfully copied in and loaded the SELinux policy in
the initrd, and my EOPNOTSUPP errors disappeared, allowing me to boot
the system!
That's Good Enough™ for me for the moment, and I can revisit using a
more minimal policy or similar later if necessary. For now, I'm going to
ensure I'm using Russell's latest Debian Jessie-compatible SELinux
policy to see what AVC denials I'm getting, before deciding whether to
just go with that and tweak it to do the few lockdowns I need, or learn
how to write a new one from scratch.
I suspect writing a full policy will be deferred until quite some time
later if I can get something small sorted out in the short-term, as I'm
on a reasonably tight timeline at the moment, having spent a month
fighting this problem and the ones leading up to it.
Thanks again for all your help everyone!
diff --git c/bootstrap w/bootstrap
index c38651e..cb45635 100755
--- c/bootstrap
+++ w/bootstrap
@@ -401,0 +402,16 @@ setfiles -r $t/ $t/etc/selinux/default/contexts/files/file_contexts $t/
+>$t/etc/initramfs-tools/hooks/selinux cat <<'EOF' && chmod +x $t/etc/initramfs-tools/hooks/selinux
+#!/bin/bash
+[ prereqs = "$1" ] && exit 0
+. /usr/share/initramfs-tools/hook-functions
+
+copy_exec /usr/sbin/load_policy
+cp -a {,"$DESTDIR"}/etc/selinux/
+EOF
+>$t/etc/initramfs-tools/scripts/init-top/selinux cat <<'EOF' && chmod +x $t/etc/initramfs-tools/scripts/init-top/selinux
+#!/bin/sh
+[ prereqs = "$1" ] && exit 0
+
+mount -t selinuxfs selinuxfs /sys/fs/selinux
+load_policy
+EOF
+chroot $t update-initramfs -u -k all
--
Regards,
Matthew Cengia
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
