selinux hasn't been running for over a week
Daniel J Walsh
dwalsh at redhat.com
Fri Sep 18 13:17:23 UTC 2009
On 09/18/2009 08:35 AM, Stephen Smalley wrote:
> On Fri, 2009-09-18 at 07:34 -0400, Daniel J Walsh wrote:
>> On 09/17/2009 09:39 PM, Yuan Yijun wrote:
>>> 2009/9/18 Steve Grubb <sgrubb at redhat.com>:
>>>> hi,
>>>>
>>>> What's happened in our rawhide boot sequence that cause selinux to not be
>>>> running anymore? Selinux is not disabled in the grub.conf kernel line and
>>>> sestatus shows its disabled. There is nothing in the system logs saying that
>>>> there was a problem.
>>>>
>>>
>>> I encountered this problem as well, but don't know why. It happens
>>> when I am trying different kernels among some recent builds (starting
>>> from 0.104 to 1.14). I guess there is a incompatible between older
>>> kernels and the policy; when you install a kernel while SELinux is
>>> disabled, it may cause future problems. Do you expect SELinux to be
>>> enabled automatically? I usually enable SELinux by doing a relabel,
>>> then install the kernel again.
>>>
>>>
>>>
>> Hopefully this is just a problem of coordination between the old way of doing things and the new new.
>> Dracut found a bug where it could not load_policy on separate /usr partitions because it needed to execute
>> /usr/sbin/load_policy (obviously). I moved load_policy from /usr/sbin to /sbin. This caused some other apps
>> problems because they were hard coded to look for /usr/sbin. Recently I fixed this by adding a symbolic link
>> and fixing the libraries that blew up.
>
> Why can't dracut just directly invoke the libselinux interface
> (selinux_init_load_policy)? Then you don't have to care where the
> load_policy program lives.
>
The beauty of load_policy is that we don't end up having to suck the libsemanage and friends into the initrd.
I think it is much saner then what we were doing in F11.
More information about the fedora-devel-list
mailing list