From 4083e4d76b61bc9eb40583f941412c1ea1a0285b Mon Sep 17 00:00:00 2001

From: Colin Walters <walters@verbum.org>

Date: Fri, 21 Feb 2014 03:29:00 +0100

Subject: [PATCH] selinux: Don't attempt to load policy in initramfs if it

 doesn't exist

Currently on at least Fedora, SELinux policy does not come in the

initramfs.  systemd will attempt to load *both* in the initramfs and

in the real root.

Now, the selinux_init_load_policy() API has a regular error return

value, as well as an "enforcing" boolean.  To determine enforcing

state, it looks for /etc/selinux/config as well as the presence of

"enforcing=" on the kernel command line.

Ordinarily, neither of those exist in the initramfs, so it will return

"unknown" for enforcing, and systemd will simply ignore the failure to

load policy.

---

 src/core/selinux-setup.c | 7 +++++++

 1 file changed, 7 insertions(+)

diff --git a/src/core/selinux-setup.c b/src/core/selinux-setup.c

index 7a32ed5..9a5d6b2 100644

--- a/src/core/selinux-setup.c

+++ b/src/core/selinux-setup.c

@@ -58,6 +58,13 @@ int selinux_setup(bool *loaded_policy) {

        cb.func_log = null_log;

        selinux_set_callback(SELINUX_CB_LOG, cb);

+       /* Don't load policy in the initrd if we don't appear to have

+        * it.  For the real root, we check below if we've already

+        * loaded policy, and return gracefully.

+        */

+       if (in_initrd() && access(selinux_path(), F_OK) < 0)

+               return 0;

+

        /* Already initialized by somebody else? */

        r = getcon_raw(&con);

        if (r == 0) {