[RFC] change policy loading to initramfs
Bill Nottingham
notting at redhat.com
Thu Jan 24 16:48:12 UTC 2008
Peter Jones (pjones at redhat.com) said:
> int loadPolicyCommand(char *cmd, char *end)
> {
> int enforce = 0;
> int rootfd;
>
> rootfd = open("/", O_DIRECTORY|O_RDONLY);
> if (rootfd < 0) {
> eprintf("loadpolicy: could not open directory: %m\n");
> exit(1);
> }
> if (chroot("/sysroot") != 0) {
> eprintf("loadpolicy: chroot failed: %m\n");
> exit(1);
> }
> if (selinux_init_policy(&enforce) != 0) {
> eprintf("Unable to load SELinux policy (%m). Halting now.\n");
> exit(1);
> }
selinux_init_load_policy is what handles enforcing=0/selinux=0 on the
commandline - you only want to halt if you get back that it failed
and you're in enforcing mode. (Similarly, not sure if chdir/chroot
should be fatal errors.)
Bill
More information about the fedora-selinux-list
mailing list