[fedora-arm] SELinux on F11 on ARM (in QEMU)?
Kedar Sovani
kedars at marvell.com
Thu Oct 22 16:33:24 UTC 2009
> -----Original Message-----
> From: fedora-arm-bounces at redhat.com [mailto:fedora-arm-
> bounces at redhat.com] On Behalf Of Per Nystrom
> Sent: 22 October 2009 02:14
> To: Steve Grubb
> Cc: fedora-arm at redhat.com
> Subject: Re: [fedora-arm] SELinux on F11 on ARM (in QEMU)?
>
>
> On Wed, 2009-10-21 at 15:38 -0400, Steve Grubb wrote:
> > On Wednesday 21 October 2009 02:32:04 pm Per Nystrom wrote:
> > > These are the only messages I see from dmesg:
> > >
> > > [root at fedora-arm ~]# dmesg | grep -i selinux
> > > SELinux: Initializing.
> > > SELinux: Starting in permissive mode
> >
> > OK, did some checking. SE Linux policy is loaded in the
> initrd in F-11. The
> > reason why is because if its done from /etc/rc.sysinit, then
> init has the
> > wrong context and that leads to lots of problems. So, you
> would need to boot
> > via initrd to have selinux working. The initrd only needs to
> call load_policy
> > and nothing else.
> >
> > Another approach used back in F-9/10 was to patch init itself
> to load policy.
> > That patch could probably be pulled from cvs.
>
> Which approach is likely to be supported in the ARM
> distribution going
> forward? I'd rather keep things simple and not use an initrd,
> but I'd
> like to know if that patch is going to make it into F11 ARM and
> later
> releases.
If possible, could you please go ahead and see how the patch works for you?
To begin with let us at least keep the patch around/accessible. If it works for you, I'll spin a pre-built fc11/fc12 rpm with that patch for users to pick up.
As a policy we do not want to diverge from upstream Fedora packages. But we could make that call based on how many users pick this approach.
>
> Thanks,
> Per
Kedar.
>
> _______________________________________________
> fedora-arm mailing list
> fedora-arm at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-arm
More information about the arm
mailing list