From: Daniel J Walsh <dwalsh@redhat.com>
To: Will Woods <wwoods@redhat.com>, selinux@tycho.nsa.gov
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [PATCH] selinux_init_load_policy: setenforce(0) if security_disable() fails
Date: Wed, 30 Apr 2014 09:37:59 -0400 [thread overview]
Message-ID: <5360FCB7.9090604@redhat.com> (raw)
In-Reply-To: <1398787174-20523-1-git-send-email-wwoods@redhat.com>
On 04/29/2014 11:59 AM, Will Woods wrote:
> If you run selinux_init_load_policy() after a chroot/switch-root, it's
> possible that your *previous* root loaded policy, but your *new* root
> wants SELinux disabled.
>
> We can't disable SELinux in this case, but we *do* need to make sure
> it's permissive. Otherwise we may continue to enforce the old policy.
>
> So, if seconfig = -1, but security_disable() fails, we set *enforce=0,
> and then let the existing code handle the security_{get,set}enforce
> stuff.
>
> Once that's handled, exit with failure via "goto noload", as before.
> ---
> libselinux/src/load_policy.c | 17 +++++++++++------
> 1 file changed, 11 insertions(+), 6 deletions(-)
>
> diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
> index e419f1a..21ee58b 100644
> --- a/libselinux/src/load_policy.c
> +++ b/libselinux/src/load_policy.c
> @@ -417,13 +417,15 @@ int selinux_init_load_policy(int *enforce)
> /* Successfully disabled, so umount selinuxfs too. */
> umount(selinux_mnt);
> fini_selinuxmnt();
> + goto noload;
> + } else {
> + /*
> + * It's possible that this failed because policy has
> + * already been loaded. We can't disable SELinux now,
> + * so the best we can do is force it to be permissive.
> + */
> + *enforce = 0;
> }
> - /*
> - * If we failed to disable, SELinux will still be
> - * effectively permissive, because no policy is loaded.
> - * No need to call security_setenforce(0) here.
> - */
> - goto noload;
> }
>
> /*
> @@ -442,6 +444,9 @@ int selinux_init_load_policy(int *enforce)
> }
> }
>
> + if (seconfig == -1)
> + goto noload;
> +
> /* Load the policy. */
> return selinux_mkload_policy(0);
>
We attempted to make changes for this, and I believe it ended badly.
https://bugzilla.redhat.com/show_bug.cgi?id=1046470
next prev parent reply other threads:[~2014-04-30 13:37 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-29 15:59 [PATCH] selinux_init_load_policy: setenforce(0) if security_disable() fails Will Woods
2014-04-30 13:37 ` Daniel J Walsh [this message]
2014-04-30 15:26 ` Will Woods
2014-05-13 14:56 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5360FCB7.9090604@redhat.com \
--to=dwalsh@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=wwoods@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.