[RFC] change policy loading to initramfs

[Chad Sellers]

On 1/24/08 11:48 AM, "Bill Nottingham" <notting at redhat.com> wrote:

> Peter Jones (pjones at redhat.com) said:
>> int loadPolicyCommand(char *cmd, char *end)
>> {
>>     int enforce = 0;
>>     int rootfd;
>> 
>>     rootfd = open("/", O_DIRECTORY|O_RDONLY);
>>     if (rootfd < 0) {
>>         eprintf("loadpolicy: could not open directory: %m\n");
>>         exit(1);
>>     }
>>     if (chroot("/sysroot") != 0) {
>>         eprintf("loadpolicy: chroot failed: %m\n");
>>         exit(1);
>>     }
>>     if (selinux_init_policy(&enforce) != 0) {
>>         eprintf("Unable to load SELinux policy (%m). Halting now.\n");
>>         exit(1);
>>     }
> 
> selinux_init_load_policy is what handles enforcing=0/selinux=0 on the
> commandline - you only want to halt if you get back that it failed
> and you're in enforcing mode. (Similarly, not sure if chdir/chroot
> should be fatal errors.)
> 
A good point. I handle this (in my script from the other post) by only dying
if the return code is 3 (meaning we're supposed to be enforcing and loading
policy failed). I didn't consider all the error conditions due to chroot
itself. I believe the list of return codes to consider (thanks to Steve) is:

chroot:
0 success
1 (various failures, including usage, failure to chroot, failure to
chdir)
126 (any failure on exec except for ENOENT)
127 (ENOENT on the exec, i.e. couldn't find load_policy)

load_policy -i:
0 success
1 usage
2 can't load policy but proceed
3 can't load policy and die

The security guy in me says die on ay return value besides 0 or 2, but
that's probably too draconian. At the very least, we should continue on 127
(if load_policy is not installed).

Thoughts?

Thanks,
Chad