]>
Commit | Line | Data |
---|---|---|
f31152bd JB |
1 | --- sysvinit-2.85/src/init.c.selinux 2004-06-09 15:28:47.478406720 -0400 |
2 | +++ sysvinit-2.85/src/init.c 2004-06-09 15:29:03.208015456 -0400 | |
3 | @@ -48,6 +48,10 @@ | |
4 | #include <stdarg.h> | |
5 | #include <sys/syslog.h> | |
6 | #include <sys/time.h> | |
437bcd41 AM |
7 | +#include <sys/mman.h> |
8 | +#include <selinux/selinux.h> | |
9 | +#include <sys/mount.h> | |
f31152bd JB |
10 | + |
11 | ||
12 | #ifdef __i386__ | |
13 | # if (__GLIBC__ >= 2) | |
14 | @@ -103,6 +107,7 @@ | |
15 | int dfl_level = 0; /* Default runlevel */ | |
16 | sig_atomic_t got_cont = 0; /* Set if we received the SIGCONT signal */ | |
17 | sig_atomic_t got_signals; /* Set if we received a signal. */ | |
18 | +int enforcing = -1; /* SELinux enforcing mode */ | |
19 | int emerg_shell = 0; /* Start emergency shell? */ | |
20 | int wrote_wtmp_reboot = 1; /* Set when we wrote the reboot record */ | |
21 | int wrote_utmp_reboot = 1; /* Set when we wrote the reboot record */ | |
22 | @@ -187,6 +192,130 @@ | |
23 | {NULL,0} | |
24 | }; | |
25 | ||
26 | +/* Mount point for selinuxfs. */ | |
27 | +#define SELINUXMNT "/selinux/" | |
437bcd41 AM |
28 | + |
29 | +static int load_policy(int *enforce) | |
30 | +{ | |
f31152bd JB |
31 | + int fd=-1,ret=-1; |
32 | + int rc=0; | |
33 | + struct stat sb; | |
34 | + void *map; | |
35 | + char policy_file[PATH_MAX]; | |
36 | + int policy_version=0; | |
37 | + extern char *selinux_mnt; | |
38 | + FILE *cfg; | |
39 | + char buf[4096]; | |
40 | + int seconfig = -2; | |
41 | + | |
42 | + selinux_getenforcemode(&seconfig); | |
437bcd41 | 43 | + |
f31152bd JB |
44 | + mount("none", "/proc", "proc", 0, 0); |
45 | + cfg = fopen("/proc/cmdline","r"); | |
46 | + if (cfg) { | |
47 | + char *tmp; | |
48 | + if (fgets(buf,4096,cfg) && (tmp = strstr(buf,"enforcing="))) { | |
49 | + if (tmp == buf || isspace(*(tmp-1))) { | |
50 | + enforcing=atoi(tmp+10); | |
51 | + } | |
52 | + } | |
53 | + fclose(cfg); | |
54 | + } | |
55 | +#define MNT_DETACH 2 | |
56 | + umount2("/proc",MNT_DETACH); | |
57 | + | |
58 | + if (enforcing >=0) | |
59 | + *enforce = enforcing; | |
60 | + else if (seconfig == 1) | |
61 | + *enforce = 1; | |
62 | + | |
63 | + if (mount("none", SELINUXMNT, "selinuxfs", 0, 0) < 0) { | |
64 | + if (errno == ENODEV) { | |
65 | + log(L_VB, "SELinux not supported by kernel: %s\n",SELINUXMNT,strerror(errno)); | |
66 | + *enforce = 0; | |
67 | + } else { | |
68 | + log(L_VB, "Failed to mount %s: %s\n",SELINUXMNT,strerror(errno)); | |
69 | + } | |
70 | + return ret; | |
71 | + } | |
437bcd41 | 72 | + |
f31152bd | 73 | + selinux_mnt = SELINUXMNT; /* set manually since we mounted it */ |
437bcd41 | 74 | + |
f31152bd JB |
75 | + policy_version=security_policyvers(); |
76 | + if (policy_version < 0) { | |
77 | + log(L_VB, "Can't get policy version: %s\n", strerror(errno)); | |
78 | + goto UMOUNT; | |
79 | + } | |
437bcd41 | 80 | + |
f31152bd JB |
81 | + rc = security_getenforce(); |
82 | + if (rc < 0) { | |
83 | + log(L_VB, "Can't get SELinux enforcement flag: %s\n", strerror(errno)); | |
84 | + goto UMOUNT; | |
85 | + } | |
86 | + if (enforcing >= 0) { | |
87 | + *enforce = enforcing; | |
88 | + } else if (seconfig == -1) { | |
89 | + *enforce = 0; | |
90 | + rc = security_disable(); | |
91 | + if (rc == 0) umount(SELINUXMNT); | |
92 | + if (rc < 0) { | |
93 | + rc = security_setenforce(0); | |
94 | + if (rc < 0) { | |
95 | + log(L_VB, "Can't disable SELinux: %s\n", strerror(errno)); | |
96 | + goto UMOUNT; | |
97 | + } | |
98 | + } | |
99 | + ret = 0; | |
100 | + goto UMOUNT; | |
101 | + } else if (seconfig >= 0) { | |
102 | + *enforce = seconfig; | |
103 | + rc = security_setenforce(seconfig); | |
104 | + if (rc < 0) { | |
105 | + log(L_VB, "Can't set SELinux enforcement flag: %s\n", strerror(errno)); | |
106 | + goto UMOUNT; | |
107 | + } | |
108 | + } | |
437bcd41 | 109 | + |
f31152bd JB |
110 | + snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version); |
111 | + fd = open(policy_file, O_RDONLY); | |
112 | + if (fd < 0) { | |
113 | + /* Check previous version to see if old policy is available | |
114 | + */ | |
115 | + snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version-1); | |
116 | + fd = open(policy_file, O_RDONLY); | |
117 | + if (fd < 0) { | |
118 | + log(L_VB, "Can't open '%s.%d': %s\n", | |
119 | + selinux_binary_policy_path(),policy_version,strerror(errno)); | |
120 | + goto UMOUNT; | |
121 | + } | |
122 | + } | |
437bcd41 | 123 | + |
f31152bd JB |
124 | + if (fstat(fd, &sb) < 0) { |
125 | + log(L_VB, "Can't stat '%s': %s\n", | |
126 | + policy_file, strerror(errno)); | |
127 | + goto UMOUNT; | |
128 | + } | |
437bcd41 | 129 | + |
f31152bd JB |
130 | + map = mmap(NULL, sb.st_size, PROT_READ, MAP_SHARED, fd, 0); |
131 | + if (map == MAP_FAILED) { | |
132 | + log(L_VB, "Can't map '%s': %s\n", | |
133 | + policy_file, strerror(errno)); | |
134 | + goto UMOUNT; | |
135 | + } | |
136 | + log(L_VB, "Loading security policy\n"); | |
137 | + ret=security_load_policy(map, sb.st_size); | |
138 | + if (ret < 0) { | |
139 | + log(L_VB, "security_load_policy failed\n"); | |
140 | + } | |
437bcd41 | 141 | + |
f31152bd JB |
142 | +UMOUNT: |
143 | + /*umount(SELINUXMNT); */ | |
144 | + if ( fd >= 0) { | |
145 | + close(fd); | |
146 | + } | |
147 | + return(ret); | |
437bcd41 | 148 | +} |
f31152bd JB |
149 | + |
150 | /* | |
151 | * Sleep a number of seconds. | |
152 | * | |
153 | @@ -2513,6 +2642,7 @@ | |
154 | char *p; | |
155 | int f; | |
156 | int isinit; | |
157 | + int enforce = 0; | |
437bcd41 | 158 | |
f31152bd JB |
159 | /* Get my own name */ |
160 | if ((p = strrchr(argv[0], '/')) != NULL) | |
161 | @@ -2576,6 +2706,20 @@ | |
437bcd41 AM |
162 | maxproclen += strlen(argv[f]) + 1; |
163 | } | |
164 | ||
437bcd41 | 165 | + if (getenv("SELINUX_INIT") == NULL) { |
7bf76497 | 166 | + putenv("SELINUX_INIT=YES"); |
437bcd41 AM |
167 | + if (load_policy(&enforce) == 0 ) { |
168 | + execv(myname, argv); | |
169 | + } else { | |
f31152bd | 170 | + if (enforce > 0) { |
437bcd41 | 171 | + /* SELinux in enforcing mode but load_policy failed */ |
f31152bd JB |
172 | + /* At this point, we probably can't open /dev/console, so log() won't work */ |
173 | + printf("Enforcing mode requested but no policy loaded. Halting now.\n"); | |
437bcd41 | 174 | + exit(1); |
f31152bd | 175 | + } |
437bcd41 AM |
176 | + } |
177 | + } | |
437bcd41 AM |
178 | + |
179 | /* Start booting. */ | |
180 | argv0 = argv[0]; | |
181 | argv[1] = NULL; | |
f31152bd JB |
182 | --- sysvinit-2.85/src/sulogin.c.orig 2004-07-15 21:46:46.585783085 +0000 |
183 | +++ sysvinit-2.85/src/sulogin.c 2004-07-15 21:49:43.413905919 +0000 | |
184 | @@ -29,6 +29,10 @@ | |
185 | #endif | |
186 | #include "md5.h" | |
187 | #include "blowfish.h" | |
188 | +#ifdef WITH_SELINUX | |
189 | +#include <selinux/selinux.h> | |
190 | +#include <selinux/get_context_list.h> | |
191 | +#endif | |
192 | ||
193 | #define CHECK_DES 1 | |
194 | #define CHECK_MD5 1 | |
195 | @@ -358,6 +362,16 @@ | |
196 | signal(SIGINT, SIG_DFL); | |
197 | signal(SIGTSTP, SIG_DFL); | |
198 | signal(SIGQUIT, SIG_DFL); | |
199 | +#ifdef WITH_SELINUX | |
200 | + if (is_selinux_enabled > 0) { | |
201 | + security_context_t* contextlist=NULL; | |
202 | + if (get_ordered_context_list("root", 0, &contextlist) > 0) { | |
203 | + if (setexeccon(contextlist[0]) != 0) | |
204 | + fprintf(stderr, "setexeccon faile\n"); | |
205 | + freeconary(contextlist); | |
206 | + } | |
207 | + } | |
208 | +#endif | |
209 | execl(sushell, shell, NULL); | |
210 | perror(sushell); | |
211 | ||
212 | --- sysvinit-2.85/src/killall5.c.selinux 2004-06-09 15:28:47.362424352 -0400 | |
213 | +++ sysvinit-2.85/src/killall5.c 2004-06-09 15:28:47.525399576 -0400 | |
437bcd41 AM |
214 | @@ -144,8 +144,11 @@ |
215 | ||
216 | /* | |
217 | * Read the proc filesystem. | |
218 | + * since pidOf does not use process sid added a needSid flag to eliminate | |
219 | + * the need of this privs for SELinux | |
220 | + * | |
221 | */ | |
222 | -int readproc() | |
223 | +int readproc(int needSid) | |
224 | { | |
225 | DIR *dir; | |
226 | struct dirent *d; | |
227 | @@ -221,12 +224,16 @@ | |
228 | free(p); | |
229 | continue; | |
230 | } | |
231 | - p->sid = getsid(pid); | |
232 | - if (p->sid < 0) { | |
233 | - p->sid = 0; | |
234 | - nsyslog(LOG_ERR, "can't read sid for pid %d\n", pid); | |
235 | - free(p); | |
236 | - continue; | |
237 | + if (needSid) { | |
238 | + p->sid = getsid(pid); | |
239 | + if (p->sid < 0) { | |
240 | + p->sid = 0; | |
241 | + nsyslog(LOG_ERR, "can't read sid for pid %d\n", pid); | |
242 | + free(p); | |
243 | + continue; | |
244 | + } | |
245 | + } else { | |
246 | + p->sid = 0; | |
247 | } | |
248 | ||
249 | /* Now read argv[0] */ | |
250 | @@ -463,7 +470,7 @@ | |
251 | argv += optind; | |
252 | ||
253 | /* Print out process-ID's one by one. */ | |
254 | - readproc(); | |
255 | + readproc(0); | |
256 | for(f = 0; f < argc; f++) { | |
257 | if ((q = pidof(argv[f])) != NULL) { | |
258 | spid = 0; | |
259 | @@ -544,7 +551,7 @@ | |
260 | stopped = 1; | |
261 | ||
262 | /* Find out our own 'sid'. */ | |
263 | - if (readproc() < 0) { | |
264 | + if (readproc(1) < 0) { | |
265 | kill(-1, SIGCONT); | |
266 | exit(1); | |
267 | } | |
f31152bd JB |
268 | --- sysvinit-2.85/src/Makefile.orig 2004-07-15 21:46:46.587736210 +0000 |
269 | +++ sysvinit-2.85/src/Makefile 2004-07-15 21:50:39.413905233 +0000 | |
270 | @@ -36,7 +36,7 @@ | |
59fa00c5 JB |
271 | all: $(PROGS) |
272 | ||
273 | init: init.o init_utmp.o | |
274 | - $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o | |
275 | + $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o -lselinux | |
276 | ||
277 | halt: halt.o ifdown.o hddown.o utmp.o reboot.h | |
278 | $(CC) $(LDFLAGS) -o $@ halt.o ifdown.o hddown.o utmp.o | |
f31152bd JB |
279 | @@ -54,7 +54,7 @@ |
280 | $(CC) $(LDFLAGS) -o $@ runlevel.o | |
281 | ||
282 | sulogin: sulogin.o md5_broken.o md5_crypt_broken.o arc4random.o bcrypt.o blowfish.o | |
283 | - $(CC) $(LDFLAGS) $(STATIC) -o $@ $^ $(LCRYPT) | |
284 | + $(CC) $(LDFLAGS) $(STATIC) -o $@ $^ $(LCRYPT) -lselinux | |
285 | ||
286 | wall: dowall.o wall.o | |
287 | $(CC) $(LDFLAGS) -o $@ dowall.o wall.o | |
288 | @@ -65,8 +65,11 @@ | |
289 | bootlogd: bootlogd.o | |
59fa00c5 JB |
290 | $(CC) $(LDFLAGS) -o $@ bootlogd.o |
291 | ||
f31152bd JB |
292 | +sulogin.o: sulogin.c |
293 | + $(CC) -c $(CFLAGS) -DWITH_SELINUX sulogin.c | |
294 | + | |
59fa00c5 JB |
295 | init.o: init.c init.h set.h reboot.h |
296 | - $(CC) -c $(CFLAGS) init.c | |
297 | + $(CC) -c $(CFLAGS) -DWITH_SELINUX init.c | |
298 | ||
299 | utmp.o: utmp.c init.h | |
300 | $(CC) -c $(CFLAGS) utmp.c |