diff options
| -rwxr-xr-x | modules.d/99base/selinux-loadpolicy.sh | 70 | ||||
| -rwxr-xr-x | test/TEST-10-RAID/test.sh | 4 | ||||
| -rwxr-xr-x | test/TEST-11-LVM/test.sh | 4 | ||||
| -rwxr-xr-x | test/TEST-12-RAID-DEG/test.sh | 4 | ||||
| -rwxr-xr-x | test/TEST-13-ENC-RAID-LVM/test.sh | 4 | ||||
| -rwxr-xr-x | test/TEST-14-IMSM/test.sh | 4 | ||||
| -rwxr-xr-x | test/TEST-20-NFS/test.sh | 4 | ||||
| -rwxr-xr-x | test/TEST-30-ISCSI/test.sh | 6 | ||||
| -rwxr-xr-x | test/TEST-40-NBD/test.sh | 6 |
9 files changed, 71 insertions, 35 deletions
diff --git a/modules.d/99base/selinux-loadpolicy.sh b/modules.d/99base/selinux-loadpolicy.sh index 8285b51b..9e95b8de 100755 --- a/modules.d/99base/selinux-loadpolicy.sh +++ b/modules.d/99base/selinux-loadpolicy.sh @@ -1,24 +1,60 @@ #!/bin/sh # FIXME: load selinux policy. this should really be done after we switchroot -if [ -x "$NEWROOT/usr/sbin/load_policy" -o -x "$NEWROOT/sbin/load_policy" ]; then - ret=0 - info "Loading SELinux policy" - { - # load_policy does mount /proc and /selinux in libselinux,selinux_init_load_policy() - if [ -x "$NEWROOT/sbin/load_policy" ]; then - chroot "$NEWROOT" /sbin/load_policy -i - ret=$? - else - chroot "$NEWROOT" /usr/sbin/load_policy -i - ret=$? - fi - } 2>&1 | vinfo - - if [ $ret -eq 3 ]; then - warn "Initial SELinux policy load failed and enforcing mode requested." +rd_load_policy() +{ + + SELINUX="enforcing" + [ -e "$NEWROOT/etc/selinux/config" ] && . "$NEWROOT/etc/selinux/config" + + # If SELinux is disabled exit now + getarg "selinux=0" > /dev/null + if [ $? -eq 0 -o "$SELINUX" = "disabled" ]; then + return 0 + fi + + # Check whether SELinux is in permissive mode + permissive=0 + getarg "enforcing=0" > /dev/null + if [ $? -eq 0 -o "$SELINUX" = "permissive" ]; then + permissive=1 + fi + + # Attempt to load SELinux Policy + if [ -x "$NEWROOT/usr/sbin/load_policy" -o -x "$NEWROOT/sbin/load_policy" ]; then + ret=0 + info "Loading SELinux policy" + { + # load_policy does mount /proc and /selinux in + # libselinux,selinux_init_load_policy() + if [ -x "$NEWROOT/sbin/load_policy" ]; then + chroot "$NEWROOT" /sbin/load_policy -i + ret=$? + else + chroot "$NEWROOT" /usr/sbin/load_policy -i + ret=$? + fi + } 2>&1 | vinfo + + if [ $ret -eq 0 -o $ret -eq 2 ]; then + return 0 + fi + + warn "Initial SELinux policy load failed." + if [ $ret -eq 3 -o $permissive -eq 0 ]; then + warn "Machine in enforcing mode." + warn "Not continuing" + sleep 100d + exit 1 + fi + return 0 + elif [ $permissive -eq 0 ]; then + warn "Machine in enforcing mode and cannot execute load_policy." + warn "To disable selinux, add selinux=0 to the kernel command line." warn "Not continuing" sleep 100d exit 1 fi -fi +} + +rd_load_policy diff --git a/test/TEST-10-RAID/test.sh b/test/TEST-10-RAID/test.sh index 7d793d3c..0e7fed58 100755 --- a/test/TEST-10-RAID/test.sh +++ b/test/TEST-10-RAID/test.sh @@ -9,7 +9,7 @@ KVERSION=${KVERSION-$(uname -r)} test_run() { $testdir/run-qemu -hda root.ext2 -m 256M -nographic \ -net none -kernel /boot/vmlinuz-$KVERSION \ - -append "root=/dev/dracut/root rw quiet console=ttyS0,115200n81 rdshell $DEBUGFAIL" \ + -append "root=/dev/dracut/root rw quiet console=ttyS0,115200n81 selinux=0 rdshell $DEBUGFAIL" \ -initrd initramfs.testing grep -m 1 -q dracut-root-block-success root.ext2 || return 1 } @@ -53,7 +53,7 @@ test_setup() { # Invoke KVM and/or QEMU to actually create the target filesystem. $testdir/run-qemu -hda root.ext2 -m 256M -nographic -net none \ -kernel "/boot/vmlinuz-$kernel" \ - -append "root=/dev/dracut/root rw rootfstype=ext2 quiet console=ttyS0,115200n81" \ + -append "root=/dev/dracut/root rw rootfstype=ext2 quiet console=ttyS0,115200n81 selinux=0" \ -initrd initramfs.makeroot || return 1 grep -m 1 -q dracut-root-block-created root.ext2 || return 1 ( diff --git a/test/TEST-11-LVM/test.sh b/test/TEST-11-LVM/test.sh index 9747e158..0bc9b9fc 100755 --- a/test/TEST-11-LVM/test.sh +++ b/test/TEST-11-LVM/test.sh @@ -9,7 +9,7 @@ KVERSION=${KVERSION-$(uname -r)} test_run() { $testdir/run-qemu -hda root.ext2 -m 256M -nographic \ -net none -kernel /boot/vmlinuz-$KVERSION \ - -append "root=/dev/dracut/root rw quiet rdinfo console=ttyS0,115200n81 rdshell $DEBUGFAIL" \ + -append "root=/dev/dracut/root rw quiet rdinfo console=ttyS0,115200n81 selinux=0 rdshell $DEBUGFAIL" \ -initrd initramfs.testing grep -m 1 -q dracut-root-block-success root.ext2 || return 1 } @@ -52,7 +52,7 @@ test_setup() { # Invoke KVM and/or QEMU to actually create the target filesystem. $testdir/run-qemu -hda root.ext2 -m 256M -nographic -net none \ -kernel "/boot/vmlinuz-$kernel" \ - -append "root=/dev/dracut/root rw rootfstype=ext2 quiet console=ttyS0,115200n81" \ + -append "root=/dev/dracut/root rw rootfstype=ext2 quiet console=ttyS0,115200n81 selinux=0" \ -initrd initramfs.makeroot || return 1 grep -m 1 -q dracut-root-block-created root.ext2 || return 1 ( diff --git a/test/TEST-12-RAID-DEG/test.sh b/test/TEST-12-RAID-DEG/test.sh index 25c96341..43592532 100755 --- a/test/TEST-12-RAID-DEG/test.sh +++ b/test/TEST-12-RAID-DEG/test.sh @@ -10,7 +10,7 @@ client_run() { echo "CLIENT TEST START: $@" $testdir/run-qemu -hda root.ext2 -m 256M -nographic \ -net none -kernel /boot/vmlinuz-$KVERSION \ - -append "$@ root=LABEL=root rw quiet rdinfo console=ttyS0,115200n81 rdshell $DEBUGFAIL " \ + -append "$@ root=LABEL=root rw quiet rdinfo console=ttyS0,115200n81 selinux=0 rdshell $DEBUGFAIL " \ -initrd initramfs.testing if ! grep -m 1 -q dracut-root-block-success root.ext2; then echo "CLIENT TEST END: $@ [FAIL]" @@ -87,7 +87,7 @@ test_setup() { # Invoke KVM and/or QEMU to actually create the target filesystem. $testdir/run-qemu -hda root.ext2 -m 256M -nographic -net none \ -kernel "/boot/vmlinuz-$kernel" \ - -append "root=/dev/dracut/root rw rootfstype=ext2 quiet console=ttyS0,115200n81" \ + -append "root=/dev/dracut/root rw rootfstype=ext2 quiet console=ttyS0,115200n81 selinux=0" \ -initrd initramfs.makeroot || return 1 grep -m 1 -q dracut-root-block-created root.ext2 || return 1 eval $(grep --binary-files=text -m 1 MD_UUID root.ext2) diff --git a/test/TEST-13-ENC-RAID-LVM/test.sh b/test/TEST-13-ENC-RAID-LVM/test.sh index 86ae4829..55af484a 100755 --- a/test/TEST-13-ENC-RAID-LVM/test.sh +++ b/test/TEST-13-ENC-RAID-LVM/test.sh @@ -9,7 +9,7 @@ KVERSION=${KVERSION-$(uname -r)} test_run() { $testdir/run-qemu -hda root.ext2 -m 256M -nographic \ -net none -kernel /boot/vmlinuz-$KVERSION \ - -append "root=/dev/dracut/root rw quiet rdinfo console=ttyS0,115200n81 rdshell $DEBUGFAIL" \ + -append "root=/dev/dracut/root rw quiet rdinfo console=ttyS0,115200n81 selinux=0 rdshell $DEBUGFAIL" \ -initrd initramfs.testing grep -m 1 -q dracut-root-block-success root.ext2 || return 1 } @@ -52,7 +52,7 @@ test_setup() { # Invoke KVM and/or QEMU to actually create the target filesystem. $testdir/run-qemu -hda root.ext2 -m 256M -nographic -net none \ -kernel "/boot/vmlinuz-$kernel" \ - -append "root=/dev/dracut/root rw rootfstype=ext2 quiet console=ttyS0,115200n81" \ + -append "root=/dev/dracut/root rw rootfstype=ext2 quiet console=ttyS0,115200n81 selinux=0" \ -initrd initramfs.makeroot || return 1 grep -m 1 -q dracut-root-block-created root.ext2 || return 1 ( diff --git a/test/TEST-14-IMSM/test.sh b/test/TEST-14-IMSM/test.sh index 623546be..be33ac32 100755 --- a/test/TEST-14-IMSM/test.sh +++ b/test/TEST-14-IMSM/test.sh @@ -10,7 +10,7 @@ client_run() { echo "CLIENT TEST START: $@" $testdir/run-qemu -hda root.ext2 -hdb disk1 -hdc disk2 -m 256M -nographic \ -net none -kernel /boot/vmlinuz-$KVERSION \ - -append "$@ root=LABEL=root rw quiet rdinfo console=ttyS0,115200n81 rdshell $DEBUGFAIL" \ + -append "$@ root=LABEL=root rw quiet rdinfo console=ttyS0,115200n81 selinux=0 rdshell $DEBUGFAIL" \ -initrd initramfs.testing if ! grep -m 1 -q dracut-root-block-success root.ext2; then echo "CLIENT TEST END: $@ [FAIL]" @@ -74,7 +74,7 @@ test_setup() { # Invoke KVM and/or QEMU to actually create the target filesystem. $testdir/run-qemu -hda root.ext2 -hdb disk1 -hdc disk2 -m 256M -nographic -net none \ -kernel "/boot/vmlinuz-$kernel" \ - -append "root=/dev/dracut/root rw rootfstype=ext2 quiet console=ttyS0,115200n81" \ + -append "root=/dev/dracut/root rw rootfstype=ext2 quiet console=ttyS0,115200n81 selinux=0" \ -initrd initramfs.makeroot || return 1 grep -m 1 -q dracut-root-block-created root.ext2 || return 1 ( diff --git a/test/TEST-20-NFS/test.sh b/test/TEST-20-NFS/test.sh index cd814241..8072cf0b 100755 --- a/test/TEST-20-NFS/test.sh +++ b/test/TEST-20-NFS/test.sh @@ -15,7 +15,7 @@ run_server() { -net socket,mcast=230.0.0.1:1234 \ -serial udp:127.0.0.1:9999 \ -kernel /boot/vmlinuz-$KVERSION \ - -append "root=/dev/sda rw quiet console=ttyS0,115200n81" \ + -append "root=/dev/sda rw quiet console=ttyS0,115200n81 selinux=0" \ -initrd initramfs.server -pidfile server.pid -daemonize || return 1 sudo chmod 644 server.pid || return 1 @@ -46,7 +46,7 @@ client_test() { -net nic,macaddr=$mac,model=e1000 \ -net socket,mcast=230.0.0.1:1234 \ -kernel /boot/vmlinuz-$KVERSION \ - -append "$cmdline $DEBUGFAIL rdshell ro quiet console=ttyS0,115200n81" \ + -append "$cmdline $DEBUGFAIL rdshell ro quiet console=ttyS0,115200n81 selinux=0" \ -initrd initramfs.testing if [[ $? -ne 0 ]] || ! grep -m 1 -q nfs-OK client.img; then diff --git a/test/TEST-30-ISCSI/test.sh b/test/TEST-30-ISCSI/test.sh index 1b10c7ef..dc32775b 100755 --- a/test/TEST-30-ISCSI/test.sh +++ b/test/TEST-30-ISCSI/test.sh @@ -14,7 +14,7 @@ run_server() { -net socket,mcast=230.0.0.1:1235 \ -serial udp:127.0.0.1:9999 \ -kernel /boot/vmlinuz-$KVERSION \ - -append "root=/dev/sda rw quiet console=ttyS0,115200n81" \ + -append "root=/dev/sda rw quiet console=ttyS0,115200n81 selinux=0" \ -initrd initramfs.server -pidfile server.pid -daemonize || return 1 sudo chmod 644 server.pid || return 1 @@ -37,7 +37,7 @@ run_client() { -net nic,macaddr=52:54:00:12:34:00,model=e1000 \ -net socket,mcast=230.0.0.1:1235 \ -kernel /boot/vmlinuz-$KVERSION \ - -append "root=dhcp rw quiet console=ttyS0,115200n81 rdshell $DEBUGFAIL" \ + -append "root=dhcp rw quiet console=ttyS0,115200n81 selinux=0 rdshell $DEBUGFAIL" \ -initrd initramfs.testing grep -m 1 -q iscsi-OK client.img || return 1 } @@ -102,7 +102,7 @@ test_setup() { # Invoke KVM and/or QEMU to actually create the target filesystem. $testdir/run-qemu -hda root.ext2 -hdb client.img -m 256M -nographic -net none \ -kernel "/boot/vmlinuz-$kernel" \ - -append "root=/dev/dracut/root rw rootfstype=ext2 quiet console=ttyS0,115200n81" \ + -append "root=/dev/dracut/root rw rootfstype=ext2 quiet console=ttyS0,115200n81 selinux=0" \ -initrd initramfs.makeroot || return 1 grep -m 1 -q dracut-root-block-created client.img || return 1 rm client.img diff --git a/test/TEST-40-NBD/test.sh b/test/TEST-40-NBD/test.sh index b3a580f1..1dfa0329 100755 --- a/test/TEST-40-NBD/test.sh +++ b/test/TEST-40-NBD/test.sh @@ -16,7 +16,7 @@ run_server() { -net socket,mcast=230.0.0.1:1236 \ -serial udp:127.0.0.1:9999 \ -kernel /boot/vmlinuz-$KVERSION \ - -append "root=/dev/sda rw quiet console=ttyS0,115200n81" \ + -append "root=/dev/sda rw quiet console=ttyS0,115200n81 selinux=0" \ -initrd initramfs.server -pidfile server.pid -daemonize || return 1 sudo chmod 644 server.pid || return 1 @@ -50,7 +50,7 @@ client_test() { -net nic,macaddr=$mac,model=e1000 \ -net socket,mcast=230.0.0.1:1236 \ -kernel /boot/vmlinuz-$KVERSION \ - -append "$cmdline $DEBUGFAIL rdshell ro quiet console=ttyS0,115200n81" \ + -append "$cmdline $DEBUGFAIL rdshell ro quiet console=ttyS0,115200n81 selinux=0" \ -initrd initramfs.testing if [[ $? -ne 0 ]] || ! grep -m 1 -q nbd-OK flag.img; then @@ -207,7 +207,7 @@ make_encrypted_root() { $testdir/run-qemu -hda flag.img -hdb encrypted.ext2 -m 256M \ -nographic -net none \ -kernel "/boot/vmlinuz-$kernel" \ - -append "root=/dev/dracut/root rw quiet console=ttyS0,115200n81" \ + -append "root=/dev/dracut/root rw quiet console=ttyS0,115200n81 selinux=0" \ -initrd initramfs.makeroot || return 1 grep -m 1 -q dracut-root-block-created flag.img || return 1 } |