[systemd-devel] [PATCH] selinux: Only attempt to load policy exactly once, in the real root

Colin Walters walters at verbum.org
Thu Feb 20 07:42:25 PST 2014

Currently on at least Fedora, SELinux policy does not come in
the initramfs. systemd will attempt to load *both* in the
initramfs and in the real root.

Now, the selinux_init_load_policy() API has a regular error return
value, as well as an "enforcing" boolean. To determine enforcing
state, it looks for /etc/selinux/config as well as the presence
of "enforcing=" on the kernel command line.

Ordinarily, neither of those exist in the initramfs, so it will return
"unknown" for enforcing, and systemd will simply ignore the failure to
load policy.

Then later after we switch to the real root, we have the config file,
and all will work properly.

Except...this all blows up if someone explicitly specifies enforcing=1
on the kernel command line. Then systemd will fail to load the
nonexistent policy in the initramfs and freeze.

What this patch does is quite simple - we add an internal API that
says where we expect to find policy, and attempt to load it exactly
from there. Right now since I'm not aware of anyone who does
policy-in-initramfs, this function is hardcoded to return false.

Lots-of-very-painful-debugging-by: Colin Walters <walters at verbum.org>
 src/core/main.c | 6 ++++--
 src/core/selinux-setup.c | 10 ++++++++++
 src/core/selinux-setup.h | 2 ++
 3 files changed, 16 insertions(+), 2 deletions(-)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20140220/47ba06fc/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-selinux-Only-attempt-to-load-policy-exactly-once-in-.patch
Type: text/x-patch
Size: 3275 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20140220/47ba06fc/attachment.bin>

More information about the systemd-devel mailing list