RE: [fedora-arm] SELinux on F11 on ARM (in QEMU)?
-----Original Message-----
From: fedora-arm-bounces(a)redhat.com [mailto:fedora-arm-
bounces(a)redhat.com] On Behalf Of Per Nystrom
Sent: 22 October 2009 02:14
To: Steve Grubb
Cc: fedora-arm(a)redhat.com
Subject: Re: [fedora-arm] SELinux on F11 on ARM (in QEMU)?
On Wed, 2009-10-21 at 15:38 -0400, Steve Grubb wrote:
> On Wednesday 21 October 2009 02:32:04 pm Per Nystrom wrote:
> > These are the only messages I see from dmesg:
> >
> > [root@fedora-arm ~]# dmesg | grep -i selinux
> > SELinux: Initializing.
> > SELinux: Starting in permissive mode
>
> OK, did some checking. SE Linux policy is loaded in the
initrd in F-11. The
> reason why is because if its done from /etc/rc.sysinit, then
init has the
> wrong context and that leads to lots of problems. So, you
would need to boot
> via initrd to have selinux working. The initrd only needs to
call load_policy
> and nothing else.
>
> Another approach used back in F-9/10 was to patch init itself
to load policy.
> That patch could probably be pulled from cvs.
Which approach is likely to be supported in the ARM
distribution going
forward? I'd rather keep things simple and not use an initrd,
but I'd
like to know if that patch is going to make it into F11 ARM and
later
releases.
If possible, could you please go ahead and see how the patch works for you?
To begin with let us at least keep the patch around/accessible. If it works for you,
I'll spin a pre-built fc11/fc12 rpm with that patch for users to pick up.
As a policy we do not want to diverge from upstream Fedora packages. But we could make
that call based on how many users pick this approach.
Thanks,
Per
Kedar.
_______________________________________________
fedora-arm mailing list
fedora-arm(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-arm