| Main Archive Page > Month Archives > selinux archives |
Re: can not boot with strict policy
From: Daniel J Walsh <dwalsh_at_nospam>Date: Mon Apr 23 2007 - 18:14:52 GMT
To: Stephen Smalley <sds@tycho.nsa.gov>
Stephen Smalley wrote:
> On Mon, 2007-04-23 at 13:42 -0400, James Morris wrote:
>
>> On Mon, 23 Apr 2007, Stephen Smalley wrote:
>>
>>
>>> /lib/libsepol.so.1 should be labeled with shlib_t, not lib_t. Under
>>> targeted policy, they are aliases for one another. Under strict, they
>>> are separate types.
>>>
>>> Boot with "enforcing=0 single" to come up permissive into single-user
>>> mode, then run /sbin/fixfiles relabel -F to forcible relabel everything,
>>> then reboot.
>>>
>> I wonder if we could automate this, so that the autorelabel is also run
>> on boot if you switch between different types of policy.
>>
>
> rc.sysinit does have autorelabel support, but that won't help in this
> case, because here everything (including /sbin/init) will fail to run
> due to the inability to execute shared libs. It would have to happen
> from early userspace or /sbin/init before loading policy and switching
> to enforcing mode.
>
>
So the real question, is there much value with the division between
lib_t and shlib_t.
When dealing with strict policy, shared libraries were always getting
mislabeled as lib_t, and causing problems, for little security advantage.
As we remove the differences between strict and targeted, I don't intend to get rid of lib_t == shlib_t. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.