[systemd-devel] Expected behavior when systemd cannot load SELinux policy
Hello, currently, when SELINUX=enforcing and SELINUXTYPE=invalid value are set in /etc/selinux/config, systemd refuses to boot with Failed to load SELinux policy. Freezing. Is this really what should happen? If SELINUX is set to permissive or disabled, though, systemd happily continues booting. I think that that's what should happen when SELINUX is set to enforcing as well. Plus a big warning in the log, or maybe even on the console, of course. What do you think? Cheers, -- Jan Synacek Software Engineer, Red Hat signature.asc Description: PGP signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Expected behavior when systemd cannot load SELinux policy
On Fri, 07.11.14 11:30, Jan Synáček (jsyna...@redhat.com) wrote: Hello, currently, when SELINUX=enforcing and SELINUXTYPE=invalid value are set in /etc/selinux/config, systemd refuses to boot with Failed to load SELinux policy. Freezing. Is this really what should happen? If SELINUX is set to permissive or disabled, though, systemd happily continues booting. I think that that's what should happen when SELINUX is set to enforcing as well. Plus a big warning in the log, or maybe even on the console, of course. What do you think? Well, if we are in enforcing mode then this means that everything that is not OK needs to fail, and this includes the policy being corrupted or missing really. Enforcing mode is really this super secure mode where we'd rather hang the machine then possibly allow things to go through that might not be let through if the policy would be order... Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Expected behavior when systemd cannot load SELinux policy
On 11/07/2014 11:09 AM, Lennart Poettering wrote: On Fri, 07.11.14 11:30, Jan Synáček (jsyna...@redhat.com) wrote: Hello, currently, when SELINUX=enforcing and SELINUXTYPE=invalid value are set in /etc/selinux/config, systemd refuses to boot with Failed to load SELinux policy. Freezing. Is this really what should happen? If SELINUX is set to permissive or disabled, though, systemd happily continues booting. I think that that's what should happen when SELINUX is set to enforcing as well. Plus a big warning in the log, or maybe even on the console, of course. What do you think? Well, if we are in enforcing mode then this means that everything that is not OK needs to fail, and this includes the policy being corrupted or missing really. Enforcing mode is really this super secure mode where we'd rather hang the machine then possibly allow things to go through that might not be let through if the policy would be order... Lennart Yes think of super secure systems. If you had a machine that contained TopSecret information, then booting without the policy in effect would potentially lead to compromised information. ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel