[Pkg-sysvinit-devel] Bug#339862: initscripts: Should SELinux be
disabled in fsck recovery mode?
Petter Reinholdtsen
pere at hungry.com
Sat Nov 19 11:52:41 UTC 2005
Package: initscripts
Version: 2.86.ds1-5
Severity: wishlist
Tags: patch
While reviewing the RedHat boot system, I discovered that they are
disabling SELinux before calling sulogin after a fsck failure. Should
we do the same?
Here is a patch relative to current CVS to enable this. It uses the
/usr/sbin/selinuxenabled program to detect SELinux. This will
probably fail if /usr/ is on a separate partition from the root
partition. An alternative, and the code used in RedHat to detect
SELinux, is to make a function with content like this:
# Check SELinux status
selinuxfs=`awk '/ selinuxfs / { print $2 }' /proc/mounts`
SELINUX=
if [ -n "$selinuxfs" ] &&
[ "`cat /proc/self/attr/current`" != "kernel" ]; then
if [ -r $selinuxfs/enforce ] ; then
SELINUX=`cat $selinuxfs/enforce`
else
# assume enforcing if you can't read it
SELINUX=1
fi
fi
Index: debian/initscripts/etc/init.d/functions.sh
===================================================================
--- debian/initscripts/etc/init.d/functions.sh (revisjon 156)
+++ debian/initscripts/etc/init.d/functions.sh (arbeidskopi)
@@ -14,3 +14,14 @@
fi
return 1
}
+
+#
+# Disable selinux before enabling recovery mode, to make it possible
+# to fix problems.
+#
+disable_selinux () {
+ echo "*** Warning -- SELinux is active"
+ echo "*** Disabling security enforcement for system recovery."
+ echo "*** Run 'setenforce 1' to reenable."
+ echo "0" > $selinuxfs/enforce
+}
Index: debian/initscripts/etc/init.d/checkfs.sh
===================================================================
--- debian/initscripts/etc/init.d/checkfs.sh (revisjon 156)
+++ debian/initscripts/etc/init.d/checkfs.sh (arbeidskopi)
@@ -57,6 +57,7 @@
then
log_failure_msg "File system check failed. Please repair manually."
log_success_msg "CONTROL-D will exit from this shell and continue system startup."
+ /usr/sbin/selinuxenabled && disable_selinux
# Start a single user shell on the console
/sbin/sulogin $CONSOLE
else
Index: debian/initscripts/etc/init.d/checkroot.sh
===================================================================
--- debian/initscripts/etc/init.d/checkroot.sh (revisjon 156)
+++ debian/initscripts/etc/init.d/checkroot.sh (arbeidskopi)
@@ -170,6 +170,7 @@
log_failure_msg "The system is also unable to create a temporary node in /dev/shm."
log_failure_msg "This means you have to fix the problem manually."
log_failure_msg "CONTROL-D will exit from this shell and REBOOT the system."
+ /usr/sbin/selinuxenabled && disable_selinux
# Start a single user shell on the console
/sbin/sulogin $CONSOLE
reboot -f
@@ -279,6 +280,7 @@
log_failure_msg " # mount -n -o remount,rw /"
log_failure_msg "In order to exit from the maintenance shell, press CONTROL-D"
log_failure_msg "and the system will REBOOT."
+ /usr/sbin/selinuxenabled && disable_selinux
# Start a single user shell on the console
/sbin/sulogin $CONSOLE
reboot -f
More information about the Pkg-sysvinit-devel
mailing list