selinux hasn't been running for over a week

Fri Sep 18 14:55:39 UTC 2009

On 09/18/2009 10:25 AM, Stephen Smalley wrote:
> On Fri, 2009-09-18 at 10:16 -0400, Daniel J Walsh wrote:
>> On 09/18/2009 10:05 AM, Stephen Smalley wrote:
>>> On Fri, 2009-09-18 at 10:01 -0400, Steve Grubb wrote:
>>>> On Friday 18 September 2009 09:54:12 am Daniel J Walsh wrote:
>>>>>>> If the kernel has SELinux and it is not in permissive mode, it should
>>>>>>>  execute load_policy
>>>>>
>>>>> Yes in permissive mode load_policy will return 2 if it can not load policy.
>>>>> I guess dracut should also look in /etc/selinux/config to see if the
>>>>>  SELINUX  environment variable is not set to enforcing.
>>>>
>>>> What about interaction with the kernel command line? What the kernel was given 
>>>> is listed in /proc/cmdline. iow, if I boot with selinux=0 and the config says 
>>>> enabled, shouldn't the kernel command line take priority?
>>>
>>> That all gets taken care of inside of libselinux
>>> selinux_init_load_policy() function, which is what load_policy calls.
>>>
>>>>
>>>>>> You mean if the machine is in permissive mode, it should load_policy, but
>>>>>> not  crash. But it should log the reason so it can be debugged.
>>>>>>
>>>>>>> Load_policy will exit with 0 on success or 2 on failure and SELinux in
>>>>>>>  permissive mode.
>>>>>>
>>>>>> And if chroot fails, we need to handle it.
>>>>>
>>>>> This will probably crash anyways
>>>>
>>>> In the code I looked at, only if it returned 3...
>>>
>>> load_policy exits with 3 if the load policy failed and the system was
>>> supposed to be in enforcing mode (based on the combination of kernel
>>> command line arguments, which do take precedence, and
>>> the /etc/selinux/config setting).  It exits with 2 if the load policy
>>> failed and the system was supposed to be permissive.
>>>  
>> Right but what happens if load_policy is called with the wrong parameter?
>> What happens if load_policy can not be called because of permission denied?
> 
> I'm not entirely clear as to why you are asking, but:
> $ load_policy --foo
> load_policy: invalid option -- '-'
> usage:  load_policy [-qi]
> $ echo $?
> 1
> $ runcon system_u:system_r:httpd_t:s0 load_policy
> runcon: load_policy: Permission denied
> $ echo $?
> 126
> 
> Are you just saying that dracut needs to fail closed (i.e. halt the
> system) if the exit code is anything other than 0 (success) or 2 (failed
> but permissive)?
> 
Well it is not that simple.

If the kernel cmdline had selinux=0 or enforcing=0 or /etc/selinux/config had SELINUX=disabled or SELINUX=permissive then it should continue, otherwise the machine has to be assumed to be in enforcing mode, so if it can not load policy it is a system failure.

I would figure this is what the MLS crowd would want.  You configured the machine to run in enforcing mode and the system can not load policy for some reason, you need to crash.  This is what the old patches did.