selinux: Don't attempt to load policy in initramfs if it doesn't exist

Currently on at least Fedora, SELinux policy does not come in the initramfs. systemd will attempt to load *both* in the initramfs and in the real root. Now, the selinux_init_load_policy() API has a regular error return value, as well as an "enforcing" boolean. To determine enforcing state, it looks for /etc/selinux/config as well as the presence of "enforcing=" on the kernel command line. Ordinarily, neither of those exist in the initramfs, so it will return "unknown" for enforcing, and systemd will simply ignore the failure to load policy.
author: Colin Walters <walters@verbum.org> 2014-02-21 03:29:00 +0100
committer: Lennart Poettering <lennart@poettering.net> 2014-02-21 03:30:18 +0100
commit: 37f78db2f4a33474fc349f406b0a0a48e9c573a2 (patch)
tree: 9dccace64bf1c211d0dac096baa2675936d3d3d8
parent: fdc8509fb61965698b7a54e3d0ac094650f21cad (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/src/core/selinux-setup.c b/src/core/selinux-setup.c
index 7a32ed59a0..9a5d6b2a9d 100644
--- a/src/core/selinux-setup.c
+++ b/src/core/selinux-setup.c
@@ -58,6 +58,13 @@ int selinux_setup(bool *loaded_policy) {
        cb.func_log = null_log;
        selinux_set_callback(SELINUX_CB_LOG, cb);
 
+       /* Don't load policy in the initrd if we don't appear to have
+        * it.  For the real root, we check below if we've already
+        * loaded policy, and return gracefully.
+        */
+       if (in_initrd() && access(selinux_path(), F_OK) < 0)
+               return 0;
+
        /* Already initialized by somebody else? */
        r = getcon_raw(&con);
        if (r == 0) {
author	Colin Walters <walters@verbum.org>	2014-02-21 03:29:00 +0100
committer	Lennart Poettering <lennart@poettering.net>	2014-02-21 03:30:18 +0100
commit	37f78db2f4a33474fc349f406b0a0a48e9c573a2 (patch)
tree	9dccace64bf1c211d0dac096baa2675936d3d3d8
parent	fdc8509fb61965698b7a54e3d0ac094650f21cad (diff)