From a8b34088546fdd1505c5def6879e76bc69f03df6 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Fri, 21 Feb 2014 03:29:00 +0100
Subject: [PATCH] selinux: Don't attempt to load policy in initramfs if it
 doesn't exist

Currently on at least Fedora, SELinux policy does not come in the
initramfs.  systemd will attempt to load *both* in the initramfs and
in the real root.

Now, the selinux_init_load_policy() API has a regular error return
value, as well as an "enforcing" boolean.  To determine enforcing
state, it looks for /etc/selinux/config as well as the presence of
"enforcing=" on the kernel command line.

Ordinarily, neither of those exist in the initramfs, so it will return
"unknown" for enforcing, and systemd will simply ignore the failure to
load policy.

(cherry picked from commit 37f78db2f4a33474fc349f406b0a0a48e9c573a2)
---
 src/core/selinux-setup.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/core/selinux-setup.c b/src/core/selinux-setup.c
index 7a32ed5..9a5d6b2 100644
--- a/src/core/selinux-setup.c
+++ b/src/core/selinux-setup.c
@@ -58,6 +58,13 @@ int selinux_setup(bool *loaded_policy) {
        cb.func_log = null_log;
        selinux_set_callback(SELINUX_CB_LOG, cb);
 
+       /* Don't load policy in the initrd if we don't appear to have
+        * it.  For the real root, we check below if we've already
+        * loaded policy, and return gracefully.
+        */
+       if (in_initrd() && access(selinux_path(), F_OK) < 0)
+               return 0;
+
        /* Already initialized by somebody else? */
        r = getcon_raw(&con);
        if (r == 0) {