[systemd-devel] [PATCH] selinux: Only attempt to load policy exactly once, in the real root

Stephen Smalley sds at tycho.nsa.gov
Thu Feb 20 10:06:23 PST 2014

On 02/20/2014 10:42 AM, Colin Walters wrote:
> Currently on at least Fedora, SELinux policy does not come in
> the initramfs. systemd will attempt to load *both* in the
> initramfs and in the real root.
> Now, the selinux_init_load_policy() API has a regular error return
> value, as well as an "enforcing" boolean. To determine enforcing
> state, it looks for /etc/selinux/config as well as the presence
> of "enforcing=" on the kernel command line.
> Ordinarily, neither of those exist in the initramfs, so it will return
> "unknown" for enforcing, and systemd will simply ignore the failure to
> load policy.
> Then later after we switch to the real root, we have the config file,
> and all will work properly.
> Except...this all blows up if someone explicitly specifies enforcing=1
> on the kernel command line. Then systemd will fail to load the
> nonexistent policy in the initramfs and freeze.
> What this patch does is quite simple - we add an internal API that
> says where we expect to find policy, and attempt to load it exactly
> from there. Right now since I'm not aware of anyone who does
> policy-in-initramfs, this function is hardcoded to return false.
> Lots-of-very-painful-debugging-by: Colin Walters <walters at verbum.org>
> ---
> src/core/main.c | 6 ++++--
> src/core/selinux-setup.c | 10 ++++++++++
> src/core/selinux-setup.h | 2 ++
> 3 files changed, 16 insertions(+), 2 deletions(-)

Wouldn't it be better (and more correct) to probe both the initramfs and
the real root, and if neither one can load policy successfully and
enforcing=1, then halt?

More information about the systemd-devel mailing list