Re: Policy loading problem

[Dennis Wronka <linuxweb@gmx.net>]

[-- Attachment #1: Type: text/plain, Size: 1786 bytes --]

Just an idea:
Wouldn't it be possible to split CONFIG_SECURITY_SELINUX_DEVELOP into two 
options, pretty much like CONFIG_SECURITY_SELINUX_BOOTPARAM and 
CONFIG_SECURITY_SELINUX_DISABLE?

I like the idea because it would prevent somebody that has physical access to 
set SELinux to permissive (and thus practically disabling its protection) on 
boot, but still keep the option for root (either as sysadm_r or, preferably, 
as secadm_r) to switch to permissive mode after boot.

On Wednesday 20 May 2009 22:59:13 Stephen Smalley wrote:
> On Wed, 2009-05-20 at 22:57 +0800, Dennis Wronka wrote:
> > Okay, here we go:
> >
> > I unmounted /selinux and then got this:
> > load_policy: Can't load policy: Invalid argument
> >
> > I attached my kernel-config and the two traces (trace1 for the "Device or
> > resource busy"-error, trace2 for the "Invalid argument"-error).
>
> Ahem.  Your kernel config has these SELinux options:
> CONFIG_SECURITY_SELINUX=y
> # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
> # CONFIG_SECURITY_SELINUX_DISABLE is not set
> # CONFIG_SECURITY_SELINUX_DEVELOP is not set
> CONFIG_SECURITY_SELINUX_AVC_STATS=y
> CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
> # CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
>
> Note that your kernel config does not support:
> 1) The selinux= kernel boot parameter
> (CONFIG_SECURITY_SELINUX_BOOTPARAM),
> 2) The ability to disable SELinux from /sbin/init based on
> SELINUX=disabled in /etc/selinux/config
> (CONFIG_SECURITY_SELINUX_DISABLE),
> 3) Permissive mode (CONFIG_SECURITY_SELINUX_DEVELOP)
>
> Is that what you intended?  IOW, you cannot boot permissive, and the
> load policy logic is failing when it tries to switch to permissive mode
> (write to /selinux/enforce).



[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]