[RFC] change policy loading to initramfs
Bill Nottingham
notting at redhat.com
Thu Jan 24 21:34:00 UTC 2008
Chad Sellers (csellers at tresys.com) said:
> A good point. I handle this (in my script from the other post) by only dying
> if the return code is 3 (meaning we're supposed to be enforcing and loading
> policy failed). I didn't consider all the error conditions due to chroot
> itself. I believe the list of return codes to consider (thanks to Steve) is:
>
> chroot:
> 0 success
> 1 (various failures, including usage, failure to chroot, failure to
> chdir)
> 126 (any failure on exec except for ENOENT)
> 127 (ENOENT on the exec, i.e. couldn't find load_policy)
>
> load_policy -i:
> 0 success
> 1 usage
> 2 can't load policy but proceed
> 3 can't load policy and die
>
> The security guy in me says die on ay return value besides 0 or 2, but
> that's probably too draconian. At the very least, we should continue on 127
> (if load_policy is not installed).
>
> Thoughts?
If load_policy isn't installed, you want to proceed. If chroot outright
fails, you'll almost certainly fail later in your boot anyway, so I don't
know if you need to explicitly handle that.
Bill
More information about the fedora-selinux-list
mailing list