[systemd-devel] [PATCH] selinux: Only attempt to load policy exactly once, in the real root

Colin Walters walters at verbum.org
Thu Feb 20 10:47:49 PST 2014

On Thu, Feb 20, 2014 at 1:36 PM, Lennart Poettering 
<lennart at poettering.net> wrote:
> On Thu, 20.02.14 18:17, Colin Walters (walters at verbum.org) wrote:
> Hmm, maybe a simple check access("/etc/selinux/", F_OK) would be 
> enough?
> There's no point in trying to initialized SELinux if that dir does not
> exist, right? Then we could simply bypass the whole thing...

Beyond what Eric said, I also think that libselinux should continue to 
contain all of the key logic for whether or not SELinux is enabled and 
how to behave.

The current *API* seems OK in having the two return values of an error 
code and an enforcing flag.

The only thing libselinux can't know is:
1) Whether we're inside an initramfs right now
2) Whether or not the OS vendor expects policy to be found in the real 
root or the initramfs

So those bits of logic make sense to me in systemd, although there is 
an argument for #2 living in libselinux.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20140220/bdecee97/attachment.html>

More information about the systemd-devel mailing list