Stephen Smalley wrote:

>On Sun, 2003-10-19 at 11:48, Russell Coker wrote:
>
>
>>I've attached a patch for /sbin/init to load the policy and set enforcing
>>mode.
>>
>>
>
>Would it be cleaner to just do this via a script run from
>/etc/rc.d/rc.sysinit? It seems a bit ugly to patch this directly into
>/sbin/init. The script could perform a 'telinit u' after loading the
>policy to trigger the domain transition for the init process, and would
>simply return immediately upon the second invocation when it detected
>that selinuxfs was already mounted.
>
>
>

I don-t believe that would not re-start the rc.sysinit process in the correct context.

>>3) Mount /proc, if error then go to FINISH (*).
>>4) Check /proc/filesystems for selinuxfs entry, if it's not there then we
>>aren't running an SE Linux kernel so go to FINISH. If it's there then we
>>have a serious error condition so go to ERR (I forgot to close a file handle,
>>not that it matters much - I'll fix it later).
>>
>>
>
>This should be indicated by the return code / error message when you try
>to mount selinuxfs.
>
>
>
>>6) Set enforcing mode, if error then go to ERR.
>>
>>
>
>This will always fail on a kernel that was built with
>CONFIG_SECURITY_SELINUX_DEVELOP=n, as /selinux/enforce will not define a
>write operation in that case. Also, it would require booting with an
>alternate init program in order to boot permissive. There doesn't seem
>to be any reason to do this, as you can specify enforcing=1 on the
>kernel command line or enable it via rc.sysinit if desired.
>
>
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.