Load the SELinux policy after switch_root. This fixes

the bootup process with recent kernels, as it was
getting stuck on Permission Denied errors due to the
early SELinux policy load.

Signed-off-by: Guido Trentalancia <[email protected]>
---
 .github/labeler.yml                       |    4 -
 modules.d/98selinux/module-setup.sh       |   17 -------
 modules.d/98selinux/selinux-loadpolicy.sh |   70 ------------------------------
 modules.d/99base/init.sh                  |   61 ++++++++++++++++++++++++++
 4 files changed, 61 insertions(+), 91 deletions(-)

Author: gtrentalancia

.github/labeler.yml

@@ -498,10 +498,6 @@ pollcdrom:
   - changed-files:
     - any-glob-to-any-file: 'modules.d/98pollcdrom/*'
 
-selinux:
-  - changed-files:
-    - any-glob-to-any-file: 'modules.d/98selinux/*'
-
 syslog:
   - changed-files:
     - any-glob-to-any-file: 'modules.d/98syslog/*'

modules.d/98selinux/module-setup.sh

@@ -5,6 +5,7 @@
 # Copyright 2008-2010, Red Hat, Inc.
 # Harald Hoyer <[email protected]>
 # Jeremy Katz <[email protected]>
+# Copyright 2024 Guido Trentalancia <[email protected]>
 
 export -p > /tmp/export.orig
 
@@ -397,3 +398,63 @@ else
         emergency_shell
     }
 fi
+
+# If SELinux is disabled exit now
+getarg "selinux=0" > /dev/null && return 0
+
+SELINUX="enforcing"
+# shellcheck disable=SC1090
+[ -e "/etc/selinux/config" ] && . "/etc/selinux/config"
+
+# Check whether SELinux is in permissive mode
+permissive=0
+
+if getarg "enforcing=0" > /dev/null || [ "$SELINUX" = "permissive" ]; then
+    permissive=1
+fi
+
+# Finally load the SELinux policy and perform relabeling if needed
+if [ -x "/sbin/load_policy" ] || [ -x "/usr/sbin/load_policy" ]; then
+    local ret=0
+    local out
+    info "Loading SELinux policy"
+
+    if [ -x "/sbin/load_policy" ]; then
+        out=$(LANG=C /sbin/load_policy -i 2>&1)
+        ret=$?
+        info "$out"
+    else
+        out=$(LANG=C /usr/sbin/load_policy -i 2>&1)
+        ret=$?
+        info "$out"
+    fi
+    umount /sys/fs/selinux
+
+    if [ "$SELINUX" = "disabled" ]; then
+        return 0
+    fi
+
+    if [ $ret -eq 0 ] || [ $ret -eq 2 ]; then
+        # If machine requires a relabel, force to permissive mode
+        [ -e "/.autorelabel" ] && LANG=C /usr/sbin/setenforce 0
+        mount --rbind /dev "/dev"
+        LANG=C /sbin/restorecon -R /dev
+        umount -R "/dev"
+        return 0
+    fi
+
+    warn "Initial SELinux policy load failed."
+    if [ $ret -eq 3 ] || [ $permissive -eq 0 ]; then
+        warn "Machine in enforcing mode."
+        warn "Not continuing"
+        emergency_shell -n selinux
+        exit 1
+    fi
+    return 0
+elif [ $permissive -eq 0 ] && [ "$SELINUX" != "disabled" ]; then
+    warn "Machine in enforcing mode and cannot execute load_policy."
+    warn "To disable selinux, add selinux=0 to the kernel command line."
+    warn "Not continuing"
+    emergency_shell -n selinux
+    exit 1
+fi