selinux hasn't been running for over a week
Daniel J Walsh
dwalsh at redhat.com
Fri Sep 18 13:54:12 UTC 2009
On 09/18/2009 09:44 AM, Steve Grubb wrote:
> Hi,
>
> Just a couple clarifications for anyone implementing this.
>
> On Friday 18 September 2009 07:34:29 am Daniel J Walsh wrote:
>> Bottom line is a bug in the dracut scripts. The scripts should execute
>> load_policy and if for ANY reason load_policy fails and the machine is in
>> enforcing mode the machine needs to crash. (It should also log the
>> error).
>>
>> If the kernel has SELinux and it is not in permissive mode, it should
>> execute load_policy
>
Yes in permissive mode load_policy will return 2 if it can not load policy.
I guess dracut should also look in /etc/selinux/config to see if the SELINUX
environment variable is not set to enforcing.
> You mean if the machine is in permissive mode, it should load_policy, but not
> crash. But it should log the reason so it can be debugged.
>
>> Load_policy will exit with 0 on success or 2 on failure and SELinux in
>> permissive mode.
>
> And if chroot fails, we need to handle it.
>
This will probably crash anyways.
> -Steve
More information about the fedora-devel-list
mailing list