Hi Rainer,

On 11/1/23 22:59, Rainer Weikusat via Dng wrote:
> My workaround was copying the missing libraries to / using a live system
> I booted from USB:-).
>
> The alternate idea I was thinking about (after
> implementing this just for init) was creating some sort of library which
> loads the real SELinux library via dlopen and fails gracefully when this
> isn't possible (instead of the kernel panic caused by init
> exiting). This would probably need to become a forked selinux library
> package (and may well not be possible at all, although I think it should
> be possible).

So, your alternate idea is about using dlopen(), dlsym(), dlclose() on a intermediary library without having to link
directly against selinux. Doing this way selinux will be loaded on demand when the program finds out that it needs
to do some SELinux stuff. In the case you are exposing, to check whether that SELinux is enabled in order to load its
policy, after which the init program will restart itself in the requested security context. If SELinux is no available
in the system, avoid the kernel panic and go ahead... Right?

Cheers,

Aitor.