[systemd-devel] [PATCH] core: let selinux_setup() load policy more than once
Will Woods
wwoods at redhat.com
Mon Apr 28 10:29:34 PDT 2014
On Fri, 2014-04-25 at 18:26 -0400, Will Woods wrote:
> Currently, systemd refuses to load SELinux policy more than once.
>
> Normal systems don't care, because they either:
> a) have initramfs without policy, then load policy after switch-root, or
> b) load policy in initramfs, and never switch-root out.
>
> But if you *do* switch-root more than once - which fedup does! - you're
> supposed to run selinux_init_load_policy() afterward to ensure that you set up
> selinuxfs and load the new SELinux policy correctly.
For reference, here's the thread from selinux at tycho.nsa.gov where this
was discussed:
http://marc.info/?l=selinux&m=139782596307221&w=2
The upshot is: yes, we're supposed to do selinux_init_load_policy()
after *every* switch-root.
-w
More information about the systemd-devel
mailing list