[systemd-devel] [PATCH] selinux: Only attempt to load policy exactly once, in the real root

Lennart Poettering lennart at poettering.net
Thu Feb 20 10:36:43 PST 2014


On Thu, 20.02.14 18:17, Colin Walters (walters at verbum.org) wrote:

Hmm, maybe a simple check access("/etc/selinux/", F_OK) would be enough?
There's no point in trying to initialized SELinux if that dir does not
exist, right? Then we could simply bypass the whole thing...

> On Thu, Feb 20, 2014 at 1:06 PM, Stephen Smalley <sds at tycho.nsa.gov>
> wrote:
> >
> >Wouldn't it be better (and more correct) to probe both the
> >initramfs and
> >the real root, and if neither one can load policy successfully and
> >enforcing=1, then halt?
> >
> So you're saying we should handle -ENOENT specially in the
> initramfs?  Something like being sure we preserve errno and
> returning it to the caller of selinux_init_load_policy()?  That
> would introduce a subtle version dependency.
> 
> Or alternatively, just try in the initramfs, ignore any errors, and
> only abort if we also fail to load in the real root?
> 
> I think both of these (particularly the second) are worse than my
> patch - we don't (to my knowledge) support putting policy in the
> initramfs now with Fedora or Red Hat Enterprise Linux, so attempting
> to find it there by default on every bootup is wrong.
> 
> To turn it around, what is the possible value in also probing the
> initramfs?  Does anyone out there load policy from it with systemd?
> 

> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel



Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list