teknoraver / rpms / systemd

Forked from rpms/systemd 2 months ago
Clone

Blame SOURCES/0198-selinux-Don-t-attempt-to-load-policy-in-initramfs-if.patch

572a44
From 4083e4d76b61bc9eb40583f941412c1ea1a0285b Mon Sep 17 00:00:00 2001
572a44
From: Colin Walters <walters@verbum.org>
572a44
Date: Fri, 21 Feb 2014 03:29:00 +0100
572a44
Subject: [PATCH] selinux: Don't attempt to load policy in initramfs if it
572a44
 doesn't exist
572a44
572a44
Currently on at least Fedora, SELinux policy does not come in the
572a44
initramfs.  systemd will attempt to load *both* in the initramfs and
572a44
in the real root.
572a44
572a44
Now, the selinux_init_load_policy() API has a regular error return
572a44
value, as well as an "enforcing" boolean.  To determine enforcing
572a44
state, it looks for /etc/selinux/config as well as the presence of
572a44
"enforcing=" on the kernel command line.
572a44
572a44
Ordinarily, neither of those exist in the initramfs, so it will return
572a44
"unknown" for enforcing, and systemd will simply ignore the failure to
572a44
load policy.
572a44
---
572a44
 src/core/selinux-setup.c | 7 +++++++
572a44
 1 file changed, 7 insertions(+)
572a44
572a44
diff --git a/src/core/selinux-setup.c b/src/core/selinux-setup.c
572a44
index 7a32ed5..9a5d6b2 100644
572a44
--- a/src/core/selinux-setup.c
572a44
+++ b/src/core/selinux-setup.c
572a44
@@ -58,6 +58,13 @@ int selinux_setup(bool *loaded_policy) {
572a44
        cb.func_log = null_log;
572a44
        selinux_set_callback(SELINUX_CB_LOG, cb);
572a44
 
572a44
+       /* Don't load policy in the initrd if we don't appear to have
572a44
+        * it.  For the real root, we check below if we've already
572a44
+        * loaded policy, and return gracefully.
572a44
+        */
572a44
+       if (in_initrd() && access(selinux_path(), F_OK) < 0)
572a44
+               return 0;
572a44
+
572a44
        /* Already initialized by somebody else? */
572a44
        r = getcon_raw(&con);
572a44
        if (r == 0) {