[Pkg-sysvinit-devel] Bug#580272: sysvinit 2.88 and SELinux policy

Fri May 7 18:24:27 UTC 2010

With sysvinit 2.88 my SELinux policy is not loaded on boot; with 
sysvinit 2.87 everything worked fine.  I am running Debian; my 
initramfs mounts /proc but does not know about SELinux.

Here are the two pieces of code:

Old code:
    if (getenv("SELINUX_INIT") == NULL && !is_selinux_enabled()) {
            putenv("SELINUX_INIT=YES");
            if (selinux_init_load_policy(&enforce) == 0 ) {
                    execv(myname, argv);
            } else {
                    if (enforce > 0) {
                            /* SELinux in enforcing mode but 
load_policy failed */
                            /* At this point, we probably can't open 
/dev/console, so log() won't work */
                            printf("Unable to load SELinux Policy. 
Machine is in enforcing mode. Halting now.\n");
                            exit(1);
                    }
            }
    }

New code:
    if (getenv("SELINUX_INIT") == NULL) {
      const int rc = mount("proc", "/proc", "proc", 0, 0);
      if (is_selinux_enabled() > 0) {
        putenv("SELINUX_INIT=YES");
        if (rc == 0) umount2("/proc", MNT_DETACH);
        if (selinux_init_load_policy(&enforce) == 0) {
          execv(myname, argv);
        } else {
          if (enforce > 0) {
            /* SELinux in enforcing mode but load_policy failed */
            /* At this point, we probably can't open /dev/console, so 
log() won't work */
            fprintf(stderr,"Unable to load SELinux Policy. Machine is 
in enforcing mode. Halting now.\n");
            exit(1);
          }
        }
      }
      if (rc == 0) umount2("/proc", MNT_DETACH);
    }

The differences here are that the new code ensures that /proc is 
mounted, and !is_selinux_enabled() becomes (is_selinux_enabled() > 0).

I think the change was due to this:
http://thread.gmane.org/gmane.comp.security.selinux/13320
(is_selinux_enabled() returns -1 if /proc not mounted).

I am not clear what the purpose of this is_selinux_enabled() check is: 
is it to avoid loading policy if policy has already been loaded by the 
initramfs, or is it to find out whether the system has been configured 
to use SELinux?

If it is the first, then I think the test should be put back to 
!is_selinux_enabled() - since init ensures /proc is mounted that should 
work with or without an initramfs.

If it is the second, then is_selinux_enabled() can't tell you that 
because it only returns 1 after a policy has been loaded.

Best wishes,
Martin