Enabling SELinux on a custom kernel
Serge E. Hallyn
serue at us.ibm.com
Tue Jul 8 14:19:26 UTC 2008
Quoting Stephen Smalley (sds at tycho.nsa.gov):
>
> On Tue, 2008-07-08 at 11:10 +0200, Jan Kasprzak wrote:
> > Hello,
> >
> > how do I enable SELinux on a custom kernel? I have looked into
> > the system initrd, and it seems the policy is loaded by the "loadpolicy"
> > command in nash. Is it possible to use SELinux with Fedora without
> > having to use initrd?
>
> Prior to Fedora 9, Fedora used a patched /sbin/init program to perform
> the initial policy load (it would load policy and then re-exec itself in
> order to enter the correct domain). Fedora 9 switched over to loading
> policy from the initrd.
>
> Your options would seem to be:
> - use an initrd (easiest),
> - re-patch your /sbin/init program,
> - try to do it from inittab or rc.sysinit (but the problem there is that
> it doesn't get /sbin/init itself into the right domain).
Aaaah. I was wondering why my new f9-based kvm image wasn't enabling
selinux when I started it with "-kernel bzImage". That's going to be
a bit of a pain, as I assume I'll have to import the kernel tree into
the f9 image in order to create an initrd.
-serge
More information about the fedora-selinux-list
mailing list