[prev in list] [next in list] [prev in thread] [next in thread] 

List:       systemd-devel
Subject:    [systemd-devel] [PATCH] core: let selinux_setup() load policy more than once
From:       wwoods () redhat ! com (Will Woods)
Date:       2014-04-28 17:29:34
Message-ID: 1398706174.3576.31.camel () metroid ! usersys ! redhat ! com
[Download RAW message or body]

On Fri, 2014-04-25 at 18:26 -0400, Will Woods wrote:
> Currently, systemd refuses to load SELinux policy more than once.
> 
> Normal systems don't care, because they either:
> a) have initramfs without policy, then load policy after switch-root, or
> b) load policy in initramfs, and never switch-root out.
> 
> But if you *do* switch-root more than once - which fedup does! - you're
> supposed to run selinux_init_load_policy() afterward to ensure that you set up
> selinuxfs and load the new SELinux policy correctly.

For reference, here's the thread from selinux at tycho.nsa.gov where this
was discussed:

  http://marc.info/?l=selinux&m=139782596307221&w=2

The upshot is: yes, we're supposed to do selinux_init_load_policy()
after *every* switch-root.

-w


[prev in list] [next in list] [prev in thread] [next in thread]