:: Re: [DNG] running with separate / a…
Top Page
Delete this message
Reply to this message
Author: Rainer Weikusat
Date:  
To: dng
Subject: Re: [DNG] running with separate / and /usr
Ken Dibble <ken@???> writes:
> On 1/11/23 10:43, Rainer Weikusat via Dng wrote:
>> karl@??? writes:


[...]

>> I'm running a kernel with all critical drivers compiled in. It also
>> doesn't have SELinux support because that's not good for anything I
>> would want to do with this system.


[...]

> SELinux is needed for a whole lot of things.
>
> Here is a subset.
>
> apt-cache rdepends libselinux1:amd64
> libselinux1
> Reverse Depends:
>
> passwd
> dpkg
> dbus
>
> util-linux
>
> logrotate
> consolekit
> sysvinit-core
>
> openrc
>
> cron
>
> openssh-server
>
> So unless I have completely missed the boat (always a possibility with me),
>
> I am at a loss as to what type of system could function without these
> things.


Hmm ...

[rw@doppelsaurus]~/asciisec#grep -i selinux /proc/kallsyms
[rw@doppelsaurus]~/asciisec#

Even if SELinux happens to be compiled into the kernel (something I
haven't ever done so far), it can be disabled at boot time (or even at
runtime). Because of this, code trying to use SELinux features will
presumably typically look like this (that's from init):

#ifdef WITH_SELINUX
        if (getenv("SELINUX_INIT") == NULL) {
         if (is_selinux_enabled() != 1) {
            if (selinux_init_load_policy(&enforce) == 0) {
             putenv("SELINUX_INIT=YES");
              execv(myname, argv);
            } else {
              if (enforce > 0) {
                /* SELinux in enforcing mode but load_policy failed */
                /* At this point, we probably can't open /dev/console, so log() won't work */
                fprintf(stderr,"Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.\n");
                exit(1);
              }
            }
          }
        }
#endif  


ie, if SELinux support was enabled at compile time (#ifdef WITH_SELINUX)
and is actually enabled at run time, if (is_selinux_enabled() != 1) {,
then, do some SELinux stuff (in this case, load the selinux policy and
rexec init, using the environment variable SELINUX_INIT to stop this
from turning into an endless loop).