[systemd-devel] [PATCH] selinux: Only attempt to load policy exactly once, in the real root
Colin Walters
walters at verbum.org
Thu Feb 20 10:47:49 PST 2014
On Thu, Feb 20, 2014 at 1:36 PM, Lennart Poettering
<lennart at poettering.net> wrote:
> On Thu, 20.02.14 18:17, Colin Walters (walters at verbum.org) wrote:
>
> Hmm, maybe a simple check access("/etc/selinux/", F_OK) would be
> enough?
> There's no point in trying to initialized SELinux if that dir does not
> exist, right? Then we could simply bypass the whole thing...
>
Beyond what Eric said, I also think that libselinux should continue to
contain all of the key logic for whether or not SELinux is enabled and
how to behave.
The current *API* seems OK in having the two return values of an error
code and an enforcing flag.
The only thing libselinux can't know is:
1) Whether we're inside an initramfs right now
2) Whether or not the OS vendor expects policy to be found in the real
root or the initramfs
So those bits of logic make sense to me in systemd, although there is
an argument for #2 living in libselinux.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20140220/bdecee97/attachment.html>
More information about the systemd-devel
mailing list