[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: The possibility of SELinux targeted policy in the default install

Hello Christian,
> And, as an idea thrown in the wild, given that Manoj mentioned that
> SELinux support needs a kernel commend-line switch to be activated,
> couldn't we add "(SELinux enabled)"-like entries to the bootloader
> entries the same way we do with "(recovery)" at least with the default
> generated GRUB menu?

Switching back and forth is not that easy.
SELinux uses file labels stored in xattr attributes. While these labels
usually are on changed upon file creation, this still means that files
created during a non-SElinux-enabled boot will need to be relabeled. In
this case, a second reboot may be necessary to get the system into a
well-defined state:
assume that /sbin/init was upgraded in non-SELinux-mode. The file will
now have a bad label; after booting SELinux, the init process will be
badly labeled. The selinux-basics script will do a relabeling (it should
set the /.autorelabel flag on non-selinux-boots automatically). However
the running processes can't be
relabeled, so another reboot is necessary to have pid 1 running in the
proper domain.
So the average user will only be confused by this option, since it
rarely will work properly for him. This would make more sense for
switching between strict and targeted policy. The key bootup files such
as /sbin/init have the same labels in these, so switching should work
with a single reboot. For experienced users even without a reboot.

best regards,
Erich Schubert
   erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
     You know we all became mathematicians for the same reason:     //\
                  we were lazy. --- Max Rosenlicht                  V_/_
    Die eigentliche Aufgabe eines Freundes ist, dir beizustehen,
   wenn du im Unrecht bist. Jedermann ist auf deiner Seite, wenn
                  du im Recht bist. --- Mark Twain

Reply to: