Stephen Smalley wrote:

>On Sun, 2003-10-19 at 11:48, Russell Coker wrote:
>  
>
>>I've attached a patch for /sbin/init to load the policy and set enforcing 
>>mode.  
>>    
>>
>
>Would it be cleaner to just do this via a script run from
>/etc/rc.d/rc.sysinit?  It seems a bit ugly to patch this directly into
>/sbin/init.  The script could perform a 'telinit u' after loading the
>policy to trigger the domain transition for the init process, and would
>simply return immediately upon the second invocation when it detected
>that selinuxfs was already mounted.
>
>  
>
I don-t believe that would not re-start the rc.sysinit process in the 
correct context.

>>3)  Mount /proc, if error then go to FINISH (*).
>>4)  Check /proc/filesystems for selinuxfs entry, if it's not there then we 
>>aren't running an SE Linux kernel so go to FINISH.  If it's there then we 
>>have a serious error condition so go to ERR (I forgot to close a file handle, 
>>not that it matters much - I'll fix it later).
>>    
>>
>
>This should be indicated by the return code / error message when you try
>to mount selinuxfs.
>
>  
>
>>6)  Set enforcing mode, if error then go to ERR.
>>    
>>
>
>This will always fail on a kernel that was built with
>CONFIG_SECURITY_SELINUX_DEVELOP=n, as /selinux/enforce will not define a
>write operation in that case.  Also, it would require booting with an
>alternate init program in order to boot permissive.  There doesn't seem
>to be any reason to do this, as you can specify enforcing=1 on the
>kernel command line or enable it via rc.sysinit if desired.
>
>  
>