-
Notifications
You must be signed in to change notification settings - Fork 400
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Load the SELinux policy after switch_root. This fixes
the bootup process with recent kernels, as it was getting stuck on Permission Denied errors due to the early SELinux policy load. Signed-off-by: Guido Trentalancia <[email protected]> --- .github/labeler.yml | 4 - modules.d/98selinux/module-setup.sh | 17 ------- modules.d/98selinux/selinux-loadpolicy.sh | 70 ------------------------------ modules.d/99base/init.sh | 61 ++++++++++++++++++++++++++ 4 files changed, 61 insertions(+), 91 deletions(-)
- Loading branch information
1 parent
5d2bda4
commit 72af9cb
Showing
4 changed files
with
61 additions
and
91 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -5,6 +5,7 @@ | |
| # Copyright 2008-2010, Red Hat, Inc. | ||
| # Harald Hoyer <[email protected]> | ||
| # Jeremy Katz <[email protected]> | ||
| # Copyright 2024 Guido Trentalancia <[email protected]> | ||
|
|
||
| export -p > /tmp/export.orig | ||
|
|
||
|
|
@@ -397,3 +398,63 @@ else | |
| emergency_shell | ||
| } | ||
| fi | ||
|
|
||
| # If SELinux is disabled exit now | ||
| getarg "selinux=0" > /dev/null && return 0 | ||
|
|
||
| SELINUX="enforcing" | ||
| # shellcheck disable=SC1090 | ||
| [ -e "/etc/selinux/config" ] && . "/etc/selinux/config" | ||
|
|
||
| # Check whether SELinux is in permissive mode | ||
| permissive=0 | ||
|
|
||
| if getarg "enforcing=0" > /dev/null || [ "$SELINUX" = "permissive" ]; then | ||
| permissive=1 | ||
| fi | ||
|
|
||
| # Finally load the SELinux policy and perform relabeling if needed | ||
| if [ -x "/sbin/load_policy" ] || [ -x "/usr/sbin/load_policy" ]; then | ||
| local ret=0 | ||
| local out | ||
| info "Loading SELinux policy" | ||
|
|
||
| if [ -x "/sbin/load_policy" ]; then | ||
| out=$(LANG=C /sbin/load_policy -i 2>&1) | ||
| ret=$? | ||
| info "$out" | ||
| else | ||
| out=$(LANG=C /usr/sbin/load_policy -i 2>&1) | ||
| ret=$? | ||
| info "$out" | ||
| fi | ||
| umount /sys/fs/selinux | ||
|
|
||
| if [ "$SELINUX" = "disabled" ]; then | ||
| return 0 | ||
| fi | ||
|
|
||
| if [ $ret -eq 0 ] || [ $ret -eq 2 ]; then | ||
| # If machine requires a relabel, force to permissive mode | ||
| [ -e "/.autorelabel" ] && LANG=C /usr/sbin/setenforce 0 | ||
| mount --rbind /dev "/dev" | ||
| LANG=C /sbin/restorecon -R /dev | ||
| umount -R "/dev" | ||
| return 0 | ||
| fi | ||
|
|
||
| warn "Initial SELinux policy load failed." | ||
| if [ $ret -eq 3 ] || [ $permissive -eq 0 ]; then | ||
| warn "Machine in enforcing mode." | ||
| warn "Not continuing" | ||
| emergency_shell -n selinux | ||
| exit 1 | ||
| fi | ||
| return 0 | ||
| elif [ $permissive -eq 0 ] && [ "$SELINUX" != "disabled" ]; then | ||
| warn "Machine in enforcing mode and cannot execute load_policy." | ||
| warn "To disable selinux, add selinux=0 to the kernel command line." | ||
| warn "Not continuing" | ||
| emergency_shell -n selinux | ||
| exit 1 | ||
| fi | ||