[Pkg-sysvinit-devel] Bug#580272: sysvinit 2.88 and SELinux policy

Michal Svoboda michal.svoboda at agents.felk.cvut.cz
Sat May 8 07:11:14 UTC 2010

Martin Orr wrote:
> The differences here are that the new code ensures that /proc is
> mounted, and !is_selinux_enabled() becomes (is_selinux_enabled() >
> 0).
> I think the change was due to this:
> http://thread.gmane.org/gmane.comp.security.selinux/13320
> (is_selinux_enabled() returns -1 if /proc not mounted).

They might have been inspired by it, but it is a completely different
fix than I proposed. 

In the original context, the C expression "!is_selinux_enabled()"
means "is_selinux_enabled() == 0". However, the function is tristate, as
its return values are -1, 0, and 1. In addition to 0, we also want -1 to
execute the code block below, so the expression becomes
"(foo = is_selinux_enabled(), foo == 0 || foo == -1)", or simply put
"is_selinux_enabled() != 1".

And why we want that? Because the function checks if we already have a
policy loaded in the kernel. 1 means yes, 0 means no and -1 means no as
well. No need to mess with mounting /proc ;-)

Michal Svoboda

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-sysvinit-devel/attachments/20100508/1720e074/attachment.pgp>

More information about the Pkg-sysvinit-devel mailing list