1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
--- sysvinit-2.85/src/init.c.selinux 2004-02-10 14:34:18.454593535 -0500
+++ sysvinit-2.85/src/init.c 2004-02-10 14:37:27.947014932 -0500
@@ -78,6 +78,87 @@
sigemptyset(&sa.sa_mask); \
sigaction(sig, &sa, NULL); \
} while(0)
+#ifdef WITH_SELINUX
+#include <sys/mman.h>
+#include <selinux/selinux.h>
+#include <sys/mount.h>
+
+static int load_policy(int *enforce)
+{
+ int fd=-1,ret=-1;
+ int rc=0;
+ struct stat sb;
+ void *map;
+ char policy_file[PATH_MAX];
+ int policy_version=0;
+ extern char *selinux_mnt;
+
+ log(L_VB, "Loading security policy\n");
+ if (mount("none", SELINUXMNT, "selinuxfs", 0, 0) < 0) {
+ if (errno == ENODEV) {
+ log(L_VB, "SELinux not supported by kernel: %s\n",SELINUXMNT,strerror(errno));
+ }
+ else {
+ log(L_VB, "Failed to mount %s: %s\n",SELINUXMNT,strerror(errno));
+ return ret;
+ }
+ return ret; /* Never gets here */
+ }
+
+ selinux_mnt = SELINUXMNT; /* set manually since we mounted it */
+
+ policy_version=security_policyvers();
+ if (policy_version < 0) {
+ log(L_VB, "Can't get policy version: %s\n", strerror(errno));
+ goto UMOUNT;
+ }
+
+ rc=security_getenforce();
+ if (rc < 0) {
+ log(L_VB, "Can't get SELinux enforcement flag: %s\n", strerror(errno));
+ goto UMOUNT;
+ }
+ *enforce=rc;
+
+ snprintf(policy_file,sizeof(policy_file),"%s.%d",SELINUXPOLICY,policy_version);
+ fd = open(policy_file, O_RDONLY);
+ if (fd < 0) {
+ /* Check previous version to see if old policy is available
+ */
+ snprintf(policy_file,sizeof(policy_file),"%s.%d",SELINUXPOLICY,policy_version-1);
+ fd = open(policy_file, O_RDONLY);
+ if (fd < 0) {
+ log(L_VB, "Can't open '%s.%d': %s\n",
+ SELINUXPOLICY,policy_version,strerror(errno));
+ goto UMOUNT;
+ }
+ }
+
+ if (fstat(fd, &sb) < 0) {
+ log(L_VB, "Can't stat '%s': %s\n",
+ policy_file, strerror(errno));
+ goto UMOUNT;
+ }
+
+ map = mmap(NULL, sb.st_size, PROT_READ, MAP_SHARED, fd, 0);
+ if (map == MAP_FAILED) {
+ log(L_VB, "Can't map '%s': %s\n",
+ policy_file, strerror(errno));
+ goto UMOUNT;
+ }
+ ret=security_load_policy(map, sb.st_size);
+ if (ret < 0) {
+ log(L_VB, "security_load_policy failed\n");
+ }
+
+ UMOUNT:
+ /*umount(SELINUXMNT); */
+ if ( fd >= 0) {
+ close(fd);
+ }
+ return(ret);
+}
+#endif
/* Version information */
char *Version = "@(#) init " VERSION " " DATE " miquels@cistron.nl";
@@ -2576,6 +2657,20 @@
maxproclen += strlen(argv[f]) + 1;
}
+#ifdef WITH_SELINUX
+ if (getenv("SELINUX_INIT") == NULL) {
+ putenv("SELINUX_INIT=YES");
+ int enforce=0;
+ if (load_policy(&enforce) == 0 ) {
+ execv(myname, argv);
+ } else {
+ if (enforce)
+ /* SELinux in enforcing mode but load_policy failed */
+ exit(1);
+ }
+ }
+#endif
+
/* Start booting. */
argv0 = argv[0];
argv[1] = NULL;
--- sysvinit-2.85/src/Makefile.selinux 2004-02-10 14:34:18.413598203 -0500
+++ sysvinit-2.85/src/Makefile 2004-02-10 14:34:18.552582377 -0500
@@ -32,7 +32,7 @@
all: $(PROGS)
init: init.o init_utmp.o
- $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o
+ $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o -lselinux
halt: halt.o ifdown.o hddown.o utmp.o reboot.h
$(CC) $(LDFLAGS) -o $@ halt.o ifdown.o hddown.o utmp.o
@@ -62,7 +62,7 @@
$(CC) $(LDFLAGS) -o $@ bootlogd.o
init.o: init.c init.h set.h reboot.h
- $(CC) -c $(CFLAGS) init.c
+ $(CC) -c $(CFLAGS) -DWITH_SELINUX init.c
utmp.o: utmp.c init.h
$(CC) -c $(CFLAGS) utmp.c
|
GitWeb