Basic support for loading SELinux from the initramfs

diff --git a/dracut b/dracut
index 256507dd61d28dff3145f34501c9d1ee6737ebdd..af44868780f43fbf3b067a11c92f821cf9989118 100755 (executable)
--- a/dracut
+++ b/dracut
@@ -66,7 +66,7 @@ fi
 initdir=$(mktemp -d -t initramfs.XXXXXX)
 
 # executables that we have to have
-exe="/bin/bash /bin/mount /bin/mknod /bin/mkdir /sbin/modprobe /sbin/udevd /sbin/udevadm /sbin/nash /bin/kill /sbin/pidof /bin/sleep /bin/echo"
+exe="/bin/bash /bin/mount /bin/mknod /bin/mkdir /sbin/modprobe /sbin/udevd /sbin/udevadm /sbin/nash /bin/kill /sbin/pidof /bin/sleep /bin/echo /usr/sbin/chroot"
 lvmexe="/sbin/lvm"
 cryptexe="/sbin/cryptsetup"
 # and some things that are nice for debugging

diff --git a/init b/init
index d9b6c60580991442607e39aae4d52e6315cd8615..5b94e3d6d5431f6133c28c2e46f47d7ef265d75f 100755 (executable)
--- a/init
+++ b/init
@@ -91,12 +91,22 @@ mount --bind /dev $NEWROOT/dev
 mount -t proc /proc $NEWROOT/proc
 mount -t sysfs /sys $NEWROOT/sys
 
-# FIXME: load selinux policy
+# FIXME: load selinux policy.  this should really be done after we switchroot 
+if [ -x $NEWROOT/usr/sbin/load_policy ]; then
+  chroot $NEWROOT /usr/sbin/load_policy -i
+  if [ $? -eq 3 ]; then
+    echo "Initial SELinux policy load failed and enforcing mode requested."
+    echo "Not continuing"
+    sleep 100d
+    exit 1
+  fi
+fi
 
 # kill off udev
 kill `pidof udevd`
 
 [ -x /bin/plymouth ] && /bin/plymouth --newroot=$NEWROOT
+
 # FIXME: nash die die die
 exec /sbin/switch_root
 # davej doesn't like initrd bugs