From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <5360FCB7.9090604@redhat.com> Date: Wed, 30 Apr 2014 09:37:59 -0400 From: Daniel J Walsh MIME-Version: 1.0 To: Will Woods , selinux@tycho.nsa.gov Subject: Re: [PATCH] selinux_init_load_policy: setenforce(0) if security_disable() fails References: <1398787174-20523-1-git-send-email-wwoods@redhat.com> In-Reply-To: <1398787174-20523-1-git-send-email-wwoods@redhat.com> Content-Type: text/plain; charset=ISO-8859-1 Cc: Stephen Smalley List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: On 04/29/2014 11:59 AM, Will Woods wrote: > If you run selinux_init_load_policy() after a chroot/switch-root, it's > possible that your *previous* root loaded policy, but your *new* root > wants SELinux disabled. > > We can't disable SELinux in this case, but we *do* need to make sure > it's permissive. Otherwise we may continue to enforce the old policy. > > So, if seconfig = -1, but security_disable() fails, we set *enforce=0, > and then let the existing code handle the security_{get,set}enforce > stuff. > > Once that's handled, exit with failure via "goto noload", as before. > --- > libselinux/src/load_policy.c | 17 +++++++++++------ > 1 file changed, 11 insertions(+), 6 deletions(-) > > diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c > index e419f1a..21ee58b 100644 > --- a/libselinux/src/load_policy.c > +++ b/libselinux/src/load_policy.c > @@ -417,13 +417,15 @@ int selinux_init_load_policy(int *enforce) > /* Successfully disabled, so umount selinuxfs too. */ > umount(selinux_mnt); > fini_selinuxmnt(); > + goto noload; > + } else { > + /* > + * It's possible that this failed because policy has > + * already been loaded. We can't disable SELinux now, > + * so the best we can do is force it to be permissive. > + */ > + *enforce = 0; > } > - /* > - * If we failed to disable, SELinux will still be > - * effectively permissive, because no policy is loaded. > - * No need to call security_setenforce(0) here. > - */ > - goto noload; > } > > /* > @@ -442,6 +444,9 @@ int selinux_init_load_policy(int *enforce) > } > } > > + if (seconfig == -1) > + goto noload; > + > /* Load the policy. */ > return selinux_mkload_policy(0); > We attempted to make changes for this, and I believe it ended badly. https://bugzilla.redhat.com/show_bug.cgi?id=1046470