Jamie Nguyen wrote: > The error is dmesg is: > ERROR: Domain '<kernel> /sbin/modprobe' not defined. > > The "<kernel> /sbin/modprobe" does exist however. Ah, I see. As of /sbin/modprobe is executed from initramfs/initrd, profiles are not yet defined because /sbin/ccs-init is not yet called. I think below patch will fix it. --- a/security/ccsecurity/domain.c +++ b/security/ccsecurity/domain.c @@ -492,13 +492,14 @@ struct ccs_domain_info *ccs_assign_domai /* * Since namespace is created at runtime, profiles may * not be created by the moment the process transits to * that domain. Do not perform domain transition if * profile for that domain is not yet created. */ - if (!entry->ns->profile_ptr[entry->profile]) + if (ccs_policy_loaded && + !entry->ns->profile_ptr[entry->profile]) return NULL; security->ccs_domain_info = entry; } return entry; } /* Requested domain does not exist. */
TOMOYO
Fork