[systemd-devel] [PATCH] selinux: Only attempt to load policy exactly once, in the real root

[Will Woods]

On Thu, 2014-02-20 at 18:17 +0000, Colin Walters wrote:
> I think both of these (particularly the second) are worse than my
> patch - we don't (to my knowledge) support putting policy in the
> initramfs now with Fedora or Red Hat Enterprise Linux, so attempting
> to find it there by default on every bootup is wrong.  
> 
> 
> To turn it around, what is the possible value in also probing the
> initramfs?  Does anyone out there load policy from it with systemd?

Oof. I'm late, but: actually, yes. Fedup does this during upgrades.

We ship the new system's policy in upgrade.img in an attempt to ensure
that files written during the upgrade get the right labels.

(For example: if you're upgrading F19->F20, we load F20 policy during
initramfs, then switch_root to the F19 system to get disks mounted, then
switch_root back to initramfs to run the upgrade.)

Loading policy in initramfs seems to have some unfortunate side-effects,
though. For example, every process runs with kernel_t, and all the files
outside of /run and /dev are root_t. 

Also, something seems racy - sometimes /run/systemd/ask-password ends up
init_var_run_t, which keeps us from unlocking /home later. Ugh.

It'd probably be better to load F19 policy first, then load F20 policy
after the second switch_root *back* to initramfs.. except systemd won't
do that either.

I'm open to any ideas about how to make sure that the upgrade runs with
the right policy loaded (or, really, how to be sure that files written
during the upgrade get the correct labels for the new system). 

Otherwise, this patch will probably interfere with upgrades to F21.

-w