Basic support for loading SELinux from the initramfs

16 years ago · 654568b39e
2 changed files with 12 additions and 2 deletions
--- a/2
+++ b/2
@ -66,7 +66,7 @@ fi
				@@ -66,7 +66,7 @@ fi
 initdir=$(mktemp -d -t initramfs.XXXXXX)

 # executables that we have to have
-exe="/bin/bash /bin/mount /bin/mknod /bin/mkdir /sbin/modprobe /sbin/udevd /sbin/udevadm /sbin/nash /bin/kill /sbin/pidof /bin/sleep /bin/echo"
+exe="/bin/bash /bin/mount /bin/mknod /bin/mkdir /sbin/modprobe /sbin/udevd /sbin/udevadm /sbin/nash /bin/kill /sbin/pidof /bin/sleep /bin/echo /usr/sbin/chroot"
 lvmexe="/sbin/lvm"
 cryptexe="/sbin/cryptsetup"
 # and some things that are nice for debugging
--- a/12
+++ b/12
@ -91,12 +91,22 @@ mount --bind /dev $NEWROOT/dev
				@@ -91,12 +91,22 @@ mount --bind /dev $NEWROOT/dev
 mount -t proc /proc $NEWROOT/proc
 mount -t sysfs /sys $NEWROOT/sys

-# FIXME: load selinux policy
+# FIXME: load selinux policy.  this should really be done after we switchroot 
+if [ -x $NEWROOT/usr/sbin/load_policy ]; then
+  chroot $NEWROOT /usr/sbin/load_policy -i
+  if [ $? -eq 3 ]; then
+    echo "Initial SELinux policy load failed and enforcing mode requested."
+    echo "Not continuing"
+    sleep 100d
+    exit 1
+  fi
+fi

 # kill off udev
 kill `pidof udevd`

 [ -x /bin/plymouth ] && /bin/plymouth --newroot=$NEWROOT
+
 # FIXME: nash die die die
 exec /sbin/switch_root
 # davej doesn't like initrd bugs