dracut/modules.d/98selinux/selinux-loadpolicy.sh

#!/bin/sh

# FIXME: load selinux policy.  this should really be done after we switchroot

rd_load_policy()
{
    # If SELinux is disabled exit now
    getarg "selinux=0" > /dev/null && return 0

    SELINUX="enforcing"
    [ -e "$NEWROOT/etc/selinux/config" ] && . "$NEWROOT/etc/selinux/config"

    # Check whether SELinux is in permissive mode
    permissive=0
    getarg "enforcing=0" > /dev/null
    if [ $? -eq 0 -o "$SELINUX" = "permissive" ]; then
        permissive=1
    fi

    # Attempt to load SELinux Policy
    if [ -x "$NEWROOT/usr/sbin/load_policy" -o -x "$NEWROOT/sbin/load_policy" ]; then
        local ret=0
        local out
        info "Loading SELinux policy"
        mount -o bind /sys $NEWROOT/sys
        # load_policy does mount /proc and /sys/fs/selinux in
        # libselinux,selinux_init_load_policy()
        if [ -x "$NEWROOT/sbin/load_policy" ]; then
            out=$(LANG=C chroot "$NEWROOT" /sbin/load_policy -i 2>&1)
            ret=$?
            info $out
        else
            out=$(LANG=C chroot "$NEWROOT" /usr/sbin/load_policy -i 2>&1)
            ret=$?
            info $out
        fi
        umount $NEWROOT/sys/fs/selinux
        umount $NEWROOT/sys

        if [ "$SELINUX" = "disabled" ]; then
            return 0;
        fi

        if [ $ret -eq 0 -o $ret -eq 2 ]; then
            # If machine requires a relabel, force to permissive mode
            [ -e "$NEWROOT"/.autorelabel ] && LANG=C /usr/sbin/setenforce 0
            mount --rbind /dev "$NEWROOT/dev"
            LANG=C chroot "$NEWROOT" /sbin/restorecon -R /dev
            umount -R "$NEWROOT/dev"
            return 0
        fi

        warn "Initial SELinux policy load failed."
        if [ $ret -eq 3 -o $permissive -eq 0 ]; then
            warn "Machine in enforcing mode."
            warn "Not continuing"
            action_on_fail -n selinux || exit 1
        fi
        return 0
    elif [ $permissive -eq 0 -a "$SELINUX" != "disabled" ]; then
        warn "Machine in enforcing mode and cannot execute load_policy."
        warn "To disable selinux, add selinux=0 to the kernel command line."
        warn "Not continuing"
        action_on_fail -n selinux || exit 1
    fi
}

rd_load_policy
[PATCH 35/50] POSIX-ize all the shell scripts that get installed to the initramfs. Also install all the scripts using inst, so that we can install the right shell interpreter for our scripts. We still install bash as well. 16 years ago			`#!/bin/sh`
reformat source code removed tabs and set indention to 4 spaces added emacs and vi format headers 15 years ago
removed trailing whitespaces 14 years ago			`# FIXME: load selinux policy. this should really be done after we switchroot`
selinux-loadpolicy.sh: mount /proc and /selinux before loading the policies also check for /sbin/load_policy 16 years ago
selinux: bail out if policy could not be loaded and selinux=0 not specified 16 years ago			`rd_load_policy()`
			`{`
removed trailing whitespaces 14 years ago			`# If SELinux is disabled exit now`
selinux-loadpolicy.sh: exit for "selinux=0" 15 years ago			`getarg "selinux=0" > /dev/null && return 0`
selinux: bail out if policy could not be loaded and selinux=0 not specified 16 years ago
			`SELINUX="enforcing"`
			`[ -e "$NEWROOT/etc/selinux/config" ] && . "$NEWROOT/etc/selinux/config"`

			`# Check whether SELinux is in permissive mode`
			`permissive=0`
removed trailing whitespaces 14 years ago			`getarg "enforcing=0" > /dev/null`
selinux: bail out if policy could not be loaded and selinux=0 not specified 16 years ago			`if [ $? -eq 0 -o "$SELINUX" = "permissive" ]; then`
reformat source code removed tabs and set indention to 4 spaces added emacs and vi format headers 15 years ago			`permissive=1`
selinux: bail out if policy could not be loaded and selinux=0 not specified 16 years ago			`fi`

			`# Attempt to load SELinux Policy`
			`if [ -x "$NEWROOT/usr/sbin/load_policy" -o -x "$NEWROOT/sbin/load_policy" ]; then`
reformat source code removed tabs and set indention to 4 spaces added emacs and vi format headers 15 years ago			`local ret=0`
			`local out`
			`info "Loading SELinux policy"`
selinux: load_policy script fix chroot load_policy will use selinuxfs which should be mounted in $NEWROOT/sys/fs/selinux for Fedora 19, but because there's no $NEWROOT/sys/fs, so later process will fail. Fixing this by bind mount /sys to $NEWROOT/sys. Signed-off-by: Dave Young <dyoung@redhat.com> 12 years ago			`mount -o bind /sys $NEWROOT/sys`
			`# load_policy does mount /proc and /sys/fs/selinux in`
selinux: fixed error handling for load-policy {} \| cmd opens a subshell for {} 15 years ago			`# libselinux,selinux_init_load_policy()`
			`if [ -x "$NEWROOT/sbin/load_policy" ]; then`
selinux/selinux-loadpolicy.sh: set LANG=C for load_policy and restorecon set LANG=C for chroot execed tools, because the terminal might not be able to display the messages and the rest is not translated anyway. 14 years ago			`out=$(LANG=C chroot "$NEWROOT" /sbin/load_policy -i 2>&1)`
selinux: fixed error handling for load-policy {} \| cmd opens a subshell for {} 15 years ago			`ret=$?`
reformat source code removed tabs and set indention to 4 spaces added emacs and vi format headers 15 years ago			`info $out`
selinux: fixed error handling for load-policy {} \| cmd opens a subshell for {} 15 years ago			`else`
selinux/selinux-loadpolicy.sh: set LANG=C for load_policy and restorecon set LANG=C for chroot execed tools, because the terminal might not be able to display the messages and the rest is not translated anyway. 14 years ago			`out=$(LANG=C chroot "$NEWROOT" /usr/sbin/load_policy -i 2>&1)`
reformat source code removed tabs and set indention to 4 spaces added emacs and vi format headers 15 years ago			`ret=$?`
			`info $out`
selinux: fixed error handling for load-policy {} \| cmd opens a subshell for {} 15 years ago			`fi`
selinux: load_policy script fix chroot load_policy will use selinuxfs which should be mounted in $NEWROOT/sys/fs/selinux for Fedora 19, but because there's no $NEWROOT/sys/fs, so later process will fail. Fixing this by bind mount /sys to $NEWROOT/sys. Signed-off-by: Dave Young <dyoung@redhat.com> 12 years ago			`umount $NEWROOT/sys/fs/selinux`
			`umount $NEWROOT/sys`
selinux: bail out if policy could not be loaded and selinux=0 not specified 16 years ago
reformat source code removed tabs and set indention to 4 spaces added emacs and vi format headers 15 years ago			`if [ "$SELINUX" = "disabled" ]; then`
			`return 0;`
			`fi`
fix selinux disabled state Execute load-policy when the config file contains SELINUX=disabled. 15 years ago
reformat source code removed tabs and set indention to 4 spaces added emacs and vi format headers 15 years ago			`if [ $ret -eq 0 -o $ret -eq 2 ]; then`
			`# If machine requires a relabel, force to permissive mode`
98selinux: use setenforce to force permissive mode 14 years ago			`[ -e "$NEWROOT"/.autorelabel ] && LANG=C /usr/sbin/setenforce 0`
98selinux/selinux-loadpolicy.sh: use mount --rbind for /dev This preserves /dev/shm and /dev/pts for the selinux relabel. 13 years ago			`mount --rbind /dev "$NEWROOT/dev"`
selinux/selinux-loadpolicy.sh: set LANG=C for load_policy and restorecon set LANG=C for chroot execed tools, because the terminal might not be able to display the messages and the rest is not translated anyway. 14 years ago			`LANG=C chroot "$NEWROOT" /sbin/restorecon -R /dev`
selinux: umount $NEWROOT/dev and its submounts $NEWROOT/dev and its submounts should be umounted after we use it. Otherwise it fails other scripts that umount /sysroot only. Signed-off-by: WANG Chao <chaowang@redhat.com> 12 years ago			`umount -R "$NEWROOT/dev"`
reformat source code removed tabs and set indention to 4 spaces added emacs and vi format headers 15 years ago			`return 0`
			`fi`
selinux: bail out if policy could not be loaded and selinux=0 not specified 16 years ago
reformat source code removed tabs and set indention to 4 spaces added emacs and vi format headers 15 years ago			`warn "Initial SELinux policy load failed."`
			`if [ $ret -eq 3 -o $permissive -eq 0 ]; then`
			`warn "Machine in enforcing mode."`
			`warn "Not continuing"`
Let user specify the action after fail Currently the default action is emergency_shell when failure happened during system boot. In kdump, this default may not be expected. E.g, if dump target is not rootfs, it does not matter if mount root failed. Adding an action which allow dracut always go ahead though failure happens is needed by kdump. So here add a function action_on_fail() and cmdline parameter action_on_fail=<shell \| continue>. Use action_to_fail() to replace emergency_shell which was called after failure. By $(getarg action_on_fail=), decide to drop into shell, or to leave away the failure and go ahead. v3->v4: add handling of selinux policy loaded failure, and change code format to be consitent Signed-off-by: Baoquan He <bhe@redhat.com> [Edited by harald@redhat.com] 12 years ago			`action_on_fail -n selinux \|\| exit 1`
reformat source code removed tabs and set indention to 4 spaces added emacs and vi format headers 15 years ago			`fi`
			`return 0`
selinux-loadpolicy.sh: exit for "selinux=0" 15 years ago			`elif [ $permissive -eq 0 -a "$SELINUX" != "disabled" ]; then`
reformat source code removed tabs and set indention to 4 spaces added emacs and vi format headers 15 years ago			`warn "Machine in enforcing mode and cannot execute load_policy."`
			`warn "To disable selinux, add selinux=0 to the kernel command line."`
			`warn "Not continuing"`
Let user specify the action after fail Currently the default action is emergency_shell when failure happened during system boot. In kdump, this default may not be expected. E.g, if dump target is not rootfs, it does not matter if mount root failed. Adding an action which allow dracut always go ahead though failure happens is needed by kdump. So here add a function action_on_fail() and cmdline parameter action_on_fail=<shell \| continue>. Use action_to_fail() to replace emergency_shell which was called after failure. By $(getarg action_on_fail=), decide to drop into shell, or to leave away the failure and go ahead. v3->v4: add handling of selinux policy loaded failure, and change code format to be consitent Signed-off-by: Baoquan He <bhe@redhat.com> [Edited by harald@redhat.com] 12 years ago			`action_on_fail -n selinux \|\| exit 1`
[PATCH 35/50] POSIX-ize all the shell scripts that get installed to the initramfs. Also install all the scripts using inst, so that we can install the right shell interpreter for our scripts. We still install bash as well. 16 years ago			`fi`
selinux: bail out if policy could not be loaded and selinux=0 not specified 16 years ago			`}`

			`rd_load_policy`