[RFC] change policy loading to initramfs
Chad Sellers
csellers at tresys.com
Thu Jan 24 17:38:20 UTC 2008
On 1/24/08 11:11 AM, "Bill Nottingham" <notting at redhat.com> wrote:
> Stephen Smalley (sds at tycho.nsa.gov) said:
>> Hmm...Chad Sellers was working on similar support for Ubuntu, but did it
>> by adding a -i option to the load_policy program to perform an initial
>> policy load so that you can just execute it from a script rather than
>> requiring a direct patch to nash or anything else. cc'ing him. The
>> load_policy -i support is upstream and should be in Fedora devel /
>> rawhide too.
>
> This would still need to be done chroot()ed into the system (there's no
> way to set the base path for filename resoution), correct?
>
Yes, I have to chroot to make this work. The current working initramfs
script that I've been using in Ubuntu looks like this (at least the
important parts):
set +e
chroot /root /usr/sbin/load_policy -i
RET=$?
if [ $RET -eq 3 ]; then echo "SELinux policy load failed and enforcing mode
requested, halting now"; kill -INT 1;
elif [ $RET -ne 0 ]; then echo "SELinux policy load failed, continuing";
fi
So, I just call load_policy -i from a chroot, and then save off the return
value. load_policy -i has a separate return value (3) if the system should
halt (i.e. enforcing requested but policy load failed). If that occurs, I
kill the initramfs init process. Note that Ubuntu uses busybox init for it's
initrd, which seems quite buggy when it comes to signal handling. It
apparently ignores SIGKILL, but dies on SIGINT. Eventually I plan to debug
this further to figure out why this is the case and send a patch to the
busybox guys, but I haven't had time yet.
----------------------
Chad Sellers
csellers at tresys.com
http://www.tresys.com
More information about the fedora-selinux-list
mailing list