On Sun, 2003-10-19 at 11:48, Russell Coker wrote:
  

I've attached a patch for /sbin/init to load the policy and set enforcing 
mode.  
    

Would it be cleaner to just do this via a script run from
/etc/rc.d/rc.sysinit?  It seems a bit ugly to patch this directly into
/sbin/init.  The script could perform a 'telinit u' after loading the
policy to trigger the domain transition for the init process, and would
simply return immediately upon the second invocation when it detected
that selinuxfs was already mounted.

  

3)  Mount /proc, if error then go to FINISH (*).
4)  Check /proc/filesystems for selinuxfs entry, if it's not there then we 
aren't running an SE Linux kernel so go to FINISH.  If it's there then we 
have a serious error condition so go to ERR (I forgot to close a file handle, 
not that it matters much - I'll fix it later).
    

This should be indicated by the return code / error message when you try
to mount selinuxfs.

  

6)  Set enforcing mode, if error then go to ERR.
    

This will always fail on a kernel that was built with
CONFIG_SECURITY_SELINUX_DEVELOP=n, as /selinux/enforce will not define a
write operation in that case.  Also, it would require booting with an
alternate init program in order to boot permissive.  There doesn't seem
to be any reason to do this, as you can specify enforcing=1 on the
kernel command line or enable it via rc.sysinit if desired.