selinux hasn't been running for over a week

Stephen Smalley sds at tycho.nsa.gov
Fri Sep 18 14:25:56 UTC 2009 

On Fri, 2009-09-18 at 10:16 -0400, Daniel J Walsh wrote:
> On 09/18/2009 10:05 AM, Stephen Smalley wrote:
> > On Fri, 2009-09-18 at 10:01 -0400, Steve Grubb wrote:
> >> On Friday 18 September 2009 09:54:12 am Daniel J Walsh wrote:
> >>>>> If the kernel has SELinux and it is not in permissive mode, it should
> >>>>>  execute load_policy
> >>>
> >>> Yes in permissive mode load_policy will return 2 if it can not load policy.
> >>> I guess dracut should also look in /etc/selinux/config to see if the
> >>>  SELINUX  environment variable is not set to enforcing.
> >>
> >> What about interaction with the kernel command line? What the kernel was given 
> >> is listed in /proc/cmdline. iow, if I boot with selinux=0 and the config says 
> >> enabled, shouldn't the kernel command line take priority?
> > 
> > That all gets taken care of inside of libselinux
> > selinux_init_load_policy() function, which is what load_policy calls.
> > 
> >>
> >>>> You mean if the machine is in permissive mode, it should load_policy, but
> >>>> not  crash. But it should log the reason so it can be debugged.
> >>>>
> >>>>> Load_policy will exit with 0 on success or 2 on failure and SELinux in
> >>>>>  permissive mode.
> >>>>
> >>>> And if chroot fails, we need to handle it.
> >>>
> >>> This will probably crash anyways
> >>
> >> In the code I looked at, only if it returned 3...
> > 
> > load_policy exits with 3 if the load policy failed and the system was
> > supposed to be in enforcing mode (based on the combination of kernel
> > command line arguments, which do take precedence, and
> > the /etc/selinux/config setting).  It exits with 2 if the load policy
> > failed and the system was supposed to be permissive.
> >  
> Right but what happens if load_policy is called with the wrong parameter?
> What happens if load_policy can not be called because of permission denied?

I'm not entirely clear as to why you are asking, but:
$ load_policy --foo
load_policy: invalid option -- '-'
usage:  load_policy [-qi]
$ echo $?
1
$ runcon system_u:system_r:httpd_t:s0 load_policy
runcon: load_policy: Permission denied
$ echo $?
126

Are you just saying that dracut needs to fail closed (i.e. halt the
system) if the exit code is anything other than 0 (success) or 2 (failed
but permissive)?

-- 
Stephen Smalley
National Security Agency

More information about the fedora-devel-list mailing list