selinux_init_load_policy: setenforce(0) if security_disable() fails
If you run selinux_init_load_policy() after a chroot/switch-root, it's
possible that your *previous* root loaded policy, but your *new* root
wants SELinux disabled.
We can't disable SELinux in this case, but we *do* need to make sure
it's permissive. Otherwise we may continue to enforce the old policy.
So, if seconfig = -1, but security_disable() fails, we set *enforce=0,
and then let the existing code handle the security_{get,set}enforce
stuff.
Once that's handled, exit with failure via "goto noload", as before.
1 file changed