[systemd-devel] Expected behavior when systemd cannot load SELinux policy

Daniel J Walsh dwalsh at redhat.com
Fri Nov 7 14:30:36 PST 2014


On 11/07/2014 11:09 AM, Lennart Poettering wrote:
> On Fri, 07.11.14 11:30, Jan Synáček (jsynacek at redhat.com) wrote:
>
>> Hello,
>>
>> currently, when SELINUX=enforcing and SELINUXTYPE=<invalid value> are
>> set in /etc/selinux/config, systemd refuses to boot with
>> "Failed to load SELinux policy. Freezing."
>>
>> Is this really what should happen? If SELINUX is set to permissive or
>> disabled, though, systemd happily continues booting. I think that that's
>> what should happen when SELINUX is set to enforcing as well. Plus a big
>> warning in the log, or maybe even on the console, of course.
>>
>> What do you think?
> Well, if we are in enforcing mode then this means that everything that
> is not OK needs to fail, and this includes the policy being corrupted
> or missing really.
>
> Enforcing mode is really this "super secure" mode where we'd rather
> hang the machine then possibly allow things to go through that might
> not be let through if the policy would be order...
>
> Lennart
>
Yes think of super secure systems.  If you had a machine that contained
TopSecret information, then booting without the policy in effect would
potentially
lead to compromised information.


More information about the systemd-devel mailing list