[systemd-devel] [PATCH] selinux: Only attempt to load policy exactly once, in the real root

Colin Walters walters at verbum.org
Thu Feb 20 12:52:08 PST 2014

On Thu, Feb 20, 2014 at 2:45 PM, Daniel J Walsh <dwalsh at redhat.com> 
> You mean
> "!in_initrd() || access(selinux_path(), F_OK) >= 0"?

I don't think so - that would mean we would silently continue if 
enforcing=1, but we happen to not find a policy on disk.  Right?

I think my patch is better than this - systemd will attempt to load 
policy from *only* the real root (not the initramfs), using the exact 
same logic as is in libselinux currently.

For example, it would allow explicitly specifying enforcing=1 on the 
kernel command line, and that would continue to cause an explicit 
failure if policy is not found.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20140220/f7f9ae3e/attachment.html>

More information about the systemd-devel mailing list