[RFC] change policy loading to initramfs

[John Reiser]

> So we might as well move to having the
> policy loaded from the initramfs.

How can this be debugged, particularly in the field?  During the Fedora 8
development cycle I had some success running anaconda under strace,
having booted with strace on a USB flash device, then going to a separate
console, attaching strace to anaconda, and piping several GB of strace output
through gzip onto the flash device.  I'd like to be able to do something
just as effective (or more) with loading policy from initramfs.

> +        if (selinux_init_load_policy(&enforce) != 0) {
> +            if (enforce > 0) {
> +                eprintf("Unable to load SELinux policy (%m). Halting now.\n");
> +                exit(1);
> +            }
> +            exit(0);
> +        }

Please enhance the error reporting so that when there is an error,
then the error message is exquisitely explicit, and gives some hint
of how to fix the problem.  It is extremely frustrating to see only
"There was an error.  Bye."  [Naturally, this is a joint effort between
selinux_init_load_policy and its caller.]

If the problem is a failed system call, then print the name of the
system call, the errno, and the error string.  (Even without national
language support, for instance.)  If the problem lies with a file or
directory, then include the literal pathname which failed.  I spent
many hours chasing a missing file whose name did not appear in
any message.

--