-----Original Message----- From: fedora-arm-bounces@redhat.com [mailto:fedora-arm- bounces@redhat.com] On Behalf Of Per Nystrom Sent: 22 October 2009 02:14 To: Steve Grubb Cc: fedora-arm@redhat.com Subject: Re: [fedora-arm] SELinux on F11 on ARM (in QEMU)?
On Wed, 2009-10-21 at 15:38 -0400, Steve Grubb wrote:
On Wednesday 21 October 2009 02:32:04 pm Per Nystrom wrote:
These are the only messages I see from dmesg:
[root@fedora-arm ~]# dmesg | grep -i selinux SELinux: Initializing. SELinux: Starting in permissive mode
OK, did some checking. SE Linux policy is loaded in the
initrd in F-11. The
reason why is because if its done from /etc/rc.sysinit, then
init has the
wrong context and that leads to lots of problems. So, you
would need to boot
via initrd to have selinux working. The initrd only needs to
call load_policy
and nothing else.
Another approach used back in F-9/10 was to patch init itself
to load policy.
That patch could probably be pulled from cvs.
Which approach is likely to be supported in the ARM distribution going forward? I'd rather keep things simple and not use an initrd, but I'd like to know if that patch is going to make it into F11 ARM and later releases.
If possible, could you please go ahead and see how the patch works for you?
To begin with let us at least keep the patch around/accessible. If it works for you, I'll spin a pre-built fc11/fc12 rpm with that patch for users to pick up.
As a policy we do not want to diverge from upstream Fedora packages. But we could make that call based on how many users pick this approach.
Thanks, Per
Kedar.
fedora-arm mailing list fedora-arm@redhat.com https://www.redhat.com/mailman/listinfo/fedora-arm