From 2529c96b3757a4614deee644176ba7cd2d14a59d Mon Sep 17 00:00:00 2001
From: Guido Trentalancia <guido@trentalancia.com>
Date: Sun, 16 Jun 2024 15:47:04 +0200
Subject: [PATCH] Load the SELinux policy after switch_root. This fixes the
 bootup process with recent kernels, as it was getting stuck on Permission
 Denied errors, due to the early SELinux policy load.

Thanks to Laszlo Gombos for reviewing this patch and
suggesting to obsolete the SELinux load policy module
instead of removing it completely.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 modules.d/98selinux/selinux-loadpolicy.sh |    5 +-
 modules.d/99base/init.sh                  |   61 ++++++++++++++++++++++++++++++
 2 files changed, 65 insertions(+), 1 deletion(-)
---
 modules.d/98selinux/selinux-loadpolicy.sh |  5 +-
 modules.d/99base/init.sh                  | 61 +++++++++++++++++++++++
 2 files changed, 65 insertions(+), 1 deletion(-)

diff --git a/modules.d/98selinux/selinux-loadpolicy.sh b/modules.d/98selinux/selinux-loadpolicy.sh
index 0235b8ed45..d5d58150c5 100755
--- a/modules.d/98selinux/selinux-loadpolicy.sh
+++ b/modules.d/98selinux/selinux-loadpolicy.sh
@@ -1,6 +1,9 @@
 #!/bin/sh
 
-# FIXME: load selinux policy.  this should really be done after we switchroot
+# SELinux policy load should be done after switch_root.
+#
+# This module is therefore obsolete and it is left here only
+# for backwards compatibility.
 
 rd_load_policy() {
     # If SELinux is disabled exit now
diff --git a/modules.d/99base/init.sh b/modules.d/99base/init.sh
index 285059e517..391c4be899 100755
--- a/modules.d/99base/init.sh
+++ b/modules.d/99base/init.sh
@@ -5,6 +5,7 @@
 # Copyright 2008-2010, Red Hat, Inc.
 # Harald Hoyer <harald@redhat.com>
 # Jeremy Katz <katzj@redhat.com>
+# Copyright 2024 Guido Trentalancia <guido@trentalancia.com>
 
 export -p > /tmp/export.orig
 
@@ -397,3 +398,63 @@ else
         emergency_shell
     }
 fi
+
+# If SELinux is disabled exit now
+getarg "selinux=0" > /dev/null && return 0
+
+SELINUX="enforcing"
+# shellcheck disable=SC1090
+[ -e "/etc/selinux/config" ] && . "/etc/selinux/config"
+
+# Check whether SELinux is in permissive mode
+permissive=0
+
+if getarg "enforcing=0" > /dev/null || [ "$SELINUX" = "permissive" ]; then
+    permissive=1
+fi
+
+# Finally load the SELinux policy and perform relabeling if needed
+if [ -x "/sbin/load_policy" ] || [ -x "/usr/sbin/load_policy" ]; then
+    local ret=0
+    local out
+    info "Loading SELinux policy"
+
+    if [ -x "/sbin/load_policy" ]; then
+        out=$(LANG=C /sbin/load_policy -i 2>&1)
+        ret=$?
+        info "$out"
+    else
+        out=$(LANG=C /usr/sbin/load_policy -i 2>&1)
+        ret=$?
+        info "$out"
+    fi
+    umount /sys/fs/selinux
+
+    if [ "$SELINUX" = "disabled" ]; then
+        return 0
+    fi
+
+    if [ $ret -eq 0 ] || [ $ret -eq 2 ]; then
+        # If machine requires a relabel, force to permissive mode
+        [ -e "/.autorelabel" ] && LANG=C /usr/sbin/setenforce 0
+        mount --rbind /dev "/dev"
+        LANG=C /sbin/restorecon -R /dev
+        umount -R "/dev"
+        return 0
+    fi
+
+    warn "Initial SELinux policy load failed."
+    if [ $ret -eq 3 ] || [ $permissive -eq 0 ]; then
+        warn "Machine in enforcing mode."
+        warn "Not continuing"
+        emergency_shell -n selinux
+        exit 1
+    fi
+    return 0
+elif [ $permissive -eq 0 ] && [ "$SELINUX" != "disabled" ]; then
+    warn "Machine in enforcing mode and cannot execute load_policy."
+    warn "To disable selinux, add selinux=0 to the kernel command line."
+    warn "Not continuing"
+    emergency_shell -n selinux
+    exit 1
+fi