selinux: bail out if policy could not be loaded and selinux=0 not

specified

modules.d/99base/selinux-loadpolicy.sh

@@ -1,24 +1,60 @@
 #!/bin/sh
 # FIXME: load selinux policy.  this should really be done after we switchroot 
 
-if [ -x "$NEWROOT/usr/sbin/load_policy" -o -x "$NEWROOT/sbin/load_policy" ]; then
-    ret=0
-    info "Loading SELinux policy"
-    {
-        # load_policy does mount /proc and /selinux in libselinux,selinux_init_load_policy()
-        if [ -x "$NEWROOT/sbin/load_policy" ]; then
-            chroot "$NEWROOT" /sbin/load_policy -i
-            ret=$?
-        else
-            chroot "$NEWROOT" /usr/sbin/load_policy -i
-            ret=$?
-        fi
-    } 2>&1 | vinfo
+rd_load_policy()
+{
 
-    if [ $ret -eq 3 ]; then
-	warn "Initial SELinux policy load failed and enforcing mode requested."
+    SELINUX="enforcing"
+    [ -e "$NEWROOT/etc/selinux/config" ] && . "$NEWROOT/etc/selinux/config"
+
+    # If SELinux is disabled exit now 
+    getarg "selinux=0" > /dev/null
+    if [ $? -eq 0 -o "$SELINUX" = "disabled" ]; then
+	return 0
+    fi
+
+    # Check whether SELinux is in permissive mode
+    permissive=0
+    getarg "enforcing=0" > /dev/null
+    if [ $? -eq 0 -o "$SELINUX" = "permissive" ]; then
+	permissive=1
+    fi
+
+    # Attempt to load SELinux Policy
+    if [ -x "$NEWROOT/usr/sbin/load_policy" -o -x "$NEWROOT/sbin/load_policy" ]; then
+	ret=0
+	info "Loading SELinux policy"
+	{
+            # load_policy does mount /proc and /selinux in 
+            # libselinux,selinux_init_load_policy()
+            if [ -x "$NEWROOT/sbin/load_policy" ]; then
+		chroot "$NEWROOT" /sbin/load_policy -i
+		ret=$?
+            else
+		chroot "$NEWROOT" /usr/sbin/load_policy -i
+		ret=$?
+            fi
+	} 2>&1 | vinfo
+
+	if [ $ret -eq 0 -o $ret -eq 2 ]; then
+	    return 0
+	fi
+
+	warn "Initial SELinux policy load failed."
+	if [ $ret -eq 3 -o $permissive -eq 0 ]; then
+	    warn "Machine in enforcing mode."
+	    warn "Not continuing"
+	    sleep 100d
+	    exit 1
+	fi
+	return 0
+    elif [ $permissive -eq 0 ]; then
+	warn "Machine in enforcing mode and cannot execute load_policy."
+	warn "To disable selinux, add selinux=0 to the kernel command line."
 	warn "Not continuing"
 	sleep 100d
 	exit 1
     fi
-fi
+}
+
+rd_load_policy

test/TEST-10-RAID/test.sh

@@ -9,7 +9,7 @@ KVERSION=${KVERSION-$(uname -r)}
 test_run() {
     $testdir/run-qemu -hda root.ext2 -m 256M -nographic \
 	-net none -kernel /boot/vmlinuz-$KVERSION \
-	-append "root=/dev/dracut/root rw quiet console=ttyS0,115200n81 rdshell $DEBUGFAIL" \
+	-append "root=/dev/dracut/root rw quiet console=ttyS0,115200n81 selinux=0 rdshell $DEBUGFAIL" \
 	-initrd initramfs.testing
     grep -m 1 -q dracut-root-block-success root.ext2 || return 1
 }
@@ -53,7 +53,7 @@ test_setup() {
     # Invoke KVM and/or QEMU to actually create the target filesystem.
     $testdir/run-qemu -hda root.ext2 -m 256M -nographic -net none \
 	-kernel "/boot/vmlinuz-$kernel" \
-	-append "root=/dev/dracut/root rw rootfstype=ext2 quiet console=ttyS0,115200n81" \
+	-append "root=/dev/dracut/root rw rootfstype=ext2 quiet console=ttyS0,115200n81 selinux=0" \
 	-initrd initramfs.makeroot  || return 1
     grep -m 1 -q dracut-root-block-created root.ext2 || return 1
     (

test/TEST-11-LVM/test.sh

@@ -9,7 +9,7 @@ KVERSION=${KVERSION-$(uname -r)}
 test_run() {
     $testdir/run-qemu -hda root.ext2 -m 256M -nographic \
 	-net none -kernel /boot/vmlinuz-$KVERSION \
-	-append "root=/dev/dracut/root rw quiet rdinfo console=ttyS0,115200n81 rdshell $DEBUGFAIL" \
+	-append "root=/dev/dracut/root rw quiet rdinfo console=ttyS0,115200n81 selinux=0 rdshell $DEBUGFAIL" \
 	-initrd initramfs.testing
     grep -m 1 -q dracut-root-block-success root.ext2 || return 1
 }
@@ -52,7 +52,7 @@ test_setup() {
     # Invoke KVM and/or QEMU to actually create the target filesystem.
     $testdir/run-qemu -hda root.ext2 -m 256M -nographic -net none \
 	-kernel "/boot/vmlinuz-$kernel" \
-	-append "root=/dev/dracut/root rw rootfstype=ext2 quiet console=ttyS0,115200n81" \
+	-append "root=/dev/dracut/root rw rootfstype=ext2 quiet console=ttyS0,115200n81 selinux=0" \
 	-initrd initramfs.makeroot  || return 1
     grep -m 1 -q dracut-root-block-created root.ext2 || return 1
     (

test/TEST-12-RAID-DEG/test.sh

@@ -10,7 +10,7 @@ client_run() {
     echo "CLIENT TEST START: $@"
     $testdir/run-qemu -hda root.ext2 -m 256M -nographic \
 	-net none -kernel /boot/vmlinuz-$KVERSION \
-	-append "$@ root=LABEL=root rw quiet rdinfo console=ttyS0,115200n81 rdshell $DEBUGFAIL " \
+	-append "$@ root=LABEL=root rw quiet rdinfo console=ttyS0,115200n81 selinux=0 rdshell $DEBUGFAIL " \
 	-initrd initramfs.testing
     if ! grep -m 1 -q dracut-root-block-success root.ext2; then
 	echo "CLIENT TEST END: $@ [FAIL]"
@@ -87,7 +87,7 @@ test_setup() {
     # Invoke KVM and/or QEMU to actually create the target filesystem.
     $testdir/run-qemu -hda root.ext2 -m 256M -nographic -net none \
 	-kernel "/boot/vmlinuz-$kernel" \
-	-append "root=/dev/dracut/root rw rootfstype=ext2 quiet console=ttyS0,115200n81" \
+	-append "root=/dev/dracut/root rw rootfstype=ext2 quiet console=ttyS0,115200n81 selinux=0" \
 	-initrd initramfs.makeroot  || return 1
     grep -m 1 -q dracut-root-block-created root.ext2 || return 1
     eval $(grep --binary-files=text -m 1 MD_UUID root.ext2)

test/TEST-13-ENC-RAID-LVM/test.sh

@@ -9,7 +9,7 @@ KVERSION=${KVERSION-$(uname -r)}
 test_run() {
     $testdir/run-qemu -hda root.ext2 -m 256M -nographic \
 	-net none -kernel /boot/vmlinuz-$KVERSION \
-	-append "root=/dev/dracut/root rw quiet rdinfo console=ttyS0,115200n81 rdshell $DEBUGFAIL" \
+	-append "root=/dev/dracut/root rw quiet rdinfo console=ttyS0,115200n81 selinux=0 rdshell $DEBUGFAIL" \
 	-initrd initramfs.testing
     grep -m 1 -q dracut-root-block-success root.ext2 || return 1
 }
@@ -52,7 +52,7 @@ test_setup() {
     # Invoke KVM and/or QEMU to actually create the target filesystem.
     $testdir/run-qemu -hda root.ext2 -m 256M -nographic -net none \
 	-kernel "/boot/vmlinuz-$kernel" \
-	-append "root=/dev/dracut/root rw rootfstype=ext2 quiet console=ttyS0,115200n81" \
+	-append "root=/dev/dracut/root rw rootfstype=ext2 quiet console=ttyS0,115200n81 selinux=0" \
 	-initrd initramfs.makeroot  || return 1
     grep -m 1 -q dracut-root-block-created root.ext2 || return 1
     (

test/TEST-14-IMSM/test.sh

@@ -10,7 +10,7 @@ client_run() {
     echo "CLIENT TEST START: $@"
     $testdir/run-qemu -hda root.ext2 -hdb disk1 -hdc disk2 -m 256M -nographic \
 	-net none -kernel /boot/vmlinuz-$KVERSION \
-	-append "$@ root=LABEL=root rw quiet rdinfo console=ttyS0,115200n81 rdshell $DEBUGFAIL" \
+	-append "$@ root=LABEL=root rw quiet rdinfo console=ttyS0,115200n81 selinux=0 rdshell $DEBUGFAIL" \
 	-initrd initramfs.testing
     if ! grep -m 1 -q dracut-root-block-success root.ext2; then
 	echo "CLIENT TEST END: $@ [FAIL]"
@@ -74,7 +74,7 @@ test_setup() {
     # Invoke KVM and/or QEMU to actually create the target filesystem.
     $testdir/run-qemu -hda root.ext2 -hdb disk1 -hdc disk2 -m 256M -nographic -net none \
 	-kernel "/boot/vmlinuz-$kernel" \
-	-append "root=/dev/dracut/root rw rootfstype=ext2 quiet console=ttyS0,115200n81" \
+	-append "root=/dev/dracut/root rw rootfstype=ext2 quiet console=ttyS0,115200n81 selinux=0" \
 	-initrd initramfs.makeroot  || return 1
     grep -m 1 -q dracut-root-block-created root.ext2 || return 1
     (

test/TEST-20-NFS/test.sh

@@ -15,7 +15,7 @@ run_server() {
 	-net socket,mcast=230.0.0.1:1234 \
 	-serial udp:127.0.0.1:9999 \
 	-kernel /boot/vmlinuz-$KVERSION \
-	-append "root=/dev/sda rw quiet console=ttyS0,115200n81" \
+	-append "root=/dev/sda rw quiet console=ttyS0,115200n81 selinux=0" \
 	-initrd initramfs.server -pidfile server.pid -daemonize || return 1
     sudo chmod 644 server.pid || return 1
 
@@ -46,7 +46,7 @@ client_test() {
   	-net nic,macaddr=$mac,model=e1000 \
   	-net socket,mcast=230.0.0.1:1234 \
   	-kernel /boot/vmlinuz-$KVERSION \
-  	-append "$cmdline $DEBUGFAIL rdshell ro quiet console=ttyS0,115200n81" \
+  	-append "$cmdline $DEBUGFAIL rdshell ro quiet console=ttyS0,115200n81 selinux=0" \
   	-initrd initramfs.testing
 
     if [[ $? -ne 0 ]] || ! grep -m 1 -q nfs-OK client.img; then

test/TEST-30-ISCSI/test.sh

@@ -14,7 +14,7 @@ run_server() {
 	-net socket,mcast=230.0.0.1:1235 \
 	-serial udp:127.0.0.1:9999 \
 	-kernel /boot/vmlinuz-$KVERSION \
-	-append "root=/dev/sda rw quiet console=ttyS0,115200n81" \
+	-append "root=/dev/sda rw quiet console=ttyS0,115200n81 selinux=0" \
 	-initrd initramfs.server -pidfile server.pid -daemonize || return 1
     sudo chmod 644 server.pid || return 1
 
@@ -37,7 +37,7 @@ run_client() {
   	-net nic,macaddr=52:54:00:12:34:00,model=e1000 \
   	-net socket,mcast=230.0.0.1:1235 \
   	-kernel /boot/vmlinuz-$KVERSION \
-	-append "root=dhcp rw quiet console=ttyS0,115200n81 rdshell $DEBUGFAIL" \
+	-append "root=dhcp rw quiet console=ttyS0,115200n81 selinux=0 rdshell $DEBUGFAIL" \
   	-initrd initramfs.testing
     grep -m 1 -q iscsi-OK client.img || return 1
 }
@@ -102,7 +102,7 @@ test_setup() {
     # Invoke KVM and/or QEMU to actually create the target filesystem.
     $testdir/run-qemu -hda root.ext2 -hdb client.img -m 256M -nographic -net none \
 	-kernel "/boot/vmlinuz-$kernel" \
-	-append "root=/dev/dracut/root rw rootfstype=ext2 quiet console=ttyS0,115200n81" \
+	-append "root=/dev/dracut/root rw rootfstype=ext2 quiet console=ttyS0,115200n81 selinux=0" \
 	-initrd initramfs.makeroot  || return 1
     grep -m 1 -q dracut-root-block-created client.img || return 1
     rm client.img

test/TEST-40-NBD/test.sh

@@ -16,7 +16,7 @@ run_server() {
 	-net socket,mcast=230.0.0.1:1236 \
 	-serial udp:127.0.0.1:9999 \
 	-kernel /boot/vmlinuz-$KVERSION \
-	-append "root=/dev/sda rw quiet console=ttyS0,115200n81" \
+	-append "root=/dev/sda rw quiet console=ttyS0,115200n81 selinux=0" \
 	-initrd initramfs.server -pidfile server.pid -daemonize || return 1
     sudo chmod 644 server.pid || return 1
 
@@ -50,7 +50,7 @@ client_test() {
 	-net nic,macaddr=$mac,model=e1000 \
 	-net socket,mcast=230.0.0.1:1236 \
 	-kernel /boot/vmlinuz-$KVERSION \
-	-append "$cmdline $DEBUGFAIL rdshell ro quiet console=ttyS0,115200n81" \
+	-append "$cmdline $DEBUGFAIL rdshell ro quiet console=ttyS0,115200n81 selinux=0" \
 	-initrd initramfs.testing
 
     if [[ $? -ne 0 ]] || ! grep -m 1 -q nbd-OK flag.img; then
@@ -207,7 +207,7 @@ make_encrypted_root() {
     $testdir/run-qemu -hda flag.img -hdb encrypted.ext2 -m 256M \
 	-nographic -net none \
 	-kernel "/boot/vmlinuz-$kernel" \
-	-append "root=/dev/dracut/root rw quiet console=ttyS0,115200n81" \
+	-append "root=/dev/dracut/root rw quiet console=ttyS0,115200n81 selinux=0" \
 	-initrd initramfs.makeroot  || return 1
     grep -m 1 -q dracut-root-block-created flag.img || return 1
 }