summary |
shortlog |
log |
commit | commitdiff |
tree
raw |
patch |
inline | side by side (from parent 1:
fdc8509)
Currently on at least Fedora, SELinux policy does not come in the
initramfs. systemd will attempt to load *both* in the initramfs and
in the real root.
Now, the selinux_init_load_policy() API has a regular error return
value, as well as an "enforcing" boolean. To determine enforcing
state, it looks for /etc/selinux/config as well as the presence of
"enforcing=" on the kernel command line.
Ordinarily, neither of those exist in the initramfs, so it will return
"unknown" for enforcing, and systemd will simply ignore the failure to
load policy.
cb.func_log = null_log;
selinux_set_callback(SELINUX_CB_LOG, cb);
cb.func_log = null_log;
selinux_set_callback(SELINUX_CB_LOG, cb);
+ /* Don't load policy in the initrd if we don't appear to have
+ * it. For the real root, we check below if we've already
+ * loaded policy, and return gracefully.
+ */
+ if (in_initrd() && access(selinux_path(), F_OK) < 0)
+ return 0;
+
/* Already initialized by somebody else? */
r = getcon_raw(&con);
if (r == 0) {
/* Already initialized by somebody else? */
r = getcon_raw(&con);
if (r == 0) {