sysvinit-selinux.patch

   1 --- sysvinit-2.85/src/init.c.selinux    2004-08-11 17:48:23.000000000 -0400
   2 +++ sysvinit-2.85/src/init.c    2004-08-12 06:25:30.166271148 -0400
   3 @@ -48,6 +48,11 @@
   4  #include <stdarg.h>
   5  #include <sys/syslog.h>
   6  #include <sys/time.h>
   7 +#include <sys/mman.h>
   8 +#include <selinux/selinux.h>
   9 +#include <sepol/sepol.h>
  10 +#include <sys/mount.h>
  11 +
  12
  13  #ifdef __i386__
  14  #  if (__GLIBC__ >= 2)
  15 @@ -103,6 +108,7 @@
  16  int dfl_level = 0;             /* Default runlevel */
  17  sig_atomic_t got_cont = 0;     /* Set if we received the SIGCONT signal */
  18  sig_atomic_t got_signals;      /* Set if we received a signal. */
  19 +int enforcing = -1;            /* SELinux enforcing mode */
  20  int emerg_shell = 0;           /* Start emergency shell? */
  21  int wrote_wtmp_reboot = 1;     /* Set when we wrote the reboot record */
  22  int wrote_utmp_reboot = 1;     /* Set when we wrote the reboot record */
  23 @@ -187,6 +193,146 @@
  24         {NULL,0}
  25  };
  26
  27 +/* Mount point for selinuxfs. */
  28 +#define SELINUXMNT "/selinux/"
  29 +
  30 +static int load_policy(int *enforce)
  31 +{
  32 +       int fd=-1,ret=-1;
  33 +       int rc=0, orig_enforce;
  34 +       struct stat sb;
  35 +       void *map;
  36 +       char policy_file[PATH_MAX];
  37 +       int policy_version=0;
  38 +       FILE *cfg;
  39 +       char buf[4096];
  40 +       int seconfig = -2;
  41 +
  42 +       selinux_getenforcemode(&seconfig);
  43 +
  44 +       mount("none", "/proc", "proc", 0, 0);
  45 +       cfg = fopen("/proc/cmdline","r");
  46 +       if (cfg) {
  47 +               char *tmp;
  48 +               if (fgets(buf,4096,cfg) && (tmp = strstr(buf,"enforcing="))) {
  49 +                       if (tmp == buf || isspace(*(tmp-1))) {
  50 +                               enforcing=atoi(tmp+10);
  51 +                       }
  52 +               }
  53 +               fclose(cfg);
  54 +       }
  55 +#define MNT_DETACH 2
  56 +       umount2("/proc",MNT_DETACH);
  57 +
  58 +       if (enforcing >=0)
  59 +               *enforce = enforcing;
  60 +       else if (seconfig == 1)
  61 +               *enforce = 1;
  62 +
  63 +       if (mount("none", SELINUXMNT, "selinuxfs", 0, 0) < 0) {
  64 +               if (errno == ENODEV) {
  65 +                       initlog(L_VB, "SELinux not supported by kernel: %s\n",strerror(errno));
  66 +                       *enforce = 0;
  67 +               } else {
  68 +                       initlog(L_VB, "Failed to mount %s: %s\n",SELINUXMNT,strerror(errno));
  69 +               }
  70 +               return ret;
  71 +       }
  72 +
  73 +       set_selinuxmnt(SELINUXMNT); /* set manually since we mounted it */
  74 +
  75 +       policy_version=security_policyvers();
  76 +       if (policy_version < 0) {
  77 +               initlog(L_VB,  "Can't get policy version: %s\n", strerror(errno));
  78 +               goto UMOUNT;
  79 +       }
  80 +
  81 +       orig_enforce = rc = security_getenforce();
  82 +       if (rc < 0) {
  83 +               initlog(L_VB,  "Can't get SELinux enforcement flag: %s\n", strerror(errno));
  84 +               goto UMOUNT;
  85 +       }
  86 +       if (enforcing >= 0) {
  87 +               *enforce = enforcing;
  88 +       } else if (seconfig == -1) {
  89 +               *enforce = 0;
  90 +               rc = security_disable();
  91 +               if (rc == 0) umount(SELINUXMNT);
  92 +               if (rc < 0) {
  93 +                       rc = security_setenforce(0);
  94 +                       if (rc < 0) {
  95 +                               initlog(L_VB, "Can't disable SELinux: %s\n", strerror(errno));
  96 +                               goto UMOUNT;
  97 +                       }
  98 +               }
  99 +               ret = 0;
 100 +               goto UMOUNT;
 101 +       } else if (seconfig >= 0) {
 102 +               *enforce = seconfig;
 103 +               if (orig_enforce != *enforce) {
 104 +                       rc = security_setenforce(seconfig);
 105 +                       if (rc < 0) {
 106 +                               initlog(L_VB, "Can't set SELinux enforcement flag: %s\n", strerror(errno));
 107 +                               goto UMOUNT;
 108 +                       }
 109 +               }
 110 +       }
 111 +
 112 +       snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version);
 113 +       fd = open(policy_file, O_RDONLY);
 114 +       if (fd < 0) {
 115 +               /* Check previous version to see if old policy is available
 116 +                */
 117 +               snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version-1);
 118 +               fd = open(policy_file, O_RDONLY);
 119 +               if (fd < 0) {
 120 +                       initlog(L_VB,  "Can't open '%s.%d':  %s\n",
 121 +                           selinux_binary_policy_path(),policy_version,strerror(errno));
 122 +                       goto UMOUNT;
 123 +               }
 124 +       }
 125 +
 126 +       if (fstat(fd, &sb) < 0) {
 127 +               initlog(L_VB, "Can't stat '%s':  %s\n",
 128 +                   policy_file, strerror(errno));
 129 +               goto UMOUNT;
 130 +       }
 131 +
 132 +       map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
 133 +       if (map == MAP_FAILED) {
 134 +               initlog(L_VB,  "Can't map '%s':  %s\n",
 135 +                   policy_file, strerror(errno));
 136 +               goto UMOUNT;
 137 +       }
 138 +
 139 +
 140 +       /* Set booleans based on a booleans configuration file. */
 141 +       ret = sepol_genbools(map, sb.st_size, selinux_booleans_path());
 142 +       if (ret < 0) {
 143 +               if (errno == ENOENT || errno == EINVAL) {
 144 +                       /* No booleans file or stale booleans in the file; non-fatal. */
 145 +                       initlog(L_VB,"Warning!  Error while setting booleans:  %s\n"
 146 +                           , strerror(errno));
 147 +               } else {
 148 +                       initlog(L_VB,"Error while setting booleans:  %s\n",
 149 +                           strerror(errno));
 150 +                       goto UMOUNT;
 151 +               }
 152 +       }
 153 +       initlog(L_VB, "Loading security policy\n");
 154 +       ret=security_load_policy(map, sb.st_size);
 155 +       if (ret < 0) {
 156 +               initlog(L_VB, "security_load_policy failed\n");
 157 +       }
 158 +
 159 +UMOUNT:
 160 +       /*umount(SELINUXMNT); */
 161 +       if ( fd >= 0) {
 162 +               close(fd);
 163 +       }
 164 +       return(ret);
 165 +}
 166 +
 167  /*
 168   *     Sleep a number of seconds.
 169   *
 170 @@ -2513,6 +2658,7 @@
 171         char                    *p;
 172         int                     f;
 173         int                     isinit;
 174 +       int                     enforce = 0;
 175
 176         /* Get my own name */
 177         if ((p = strrchr(argv[0], '/')) != NULL)
 178 @@ -2576,6 +2722,20 @@
 179                 maxproclen += strlen(argv[f]) + 1;
 180         }
 181
 182 +       if (getenv("SELINUX_INIT") == NULL) {
 183 +         putenv("SELINUX_INIT=YES");
 184 +         if (load_policy(&enforce) == 0 ) {
 185 +           execv(myname, argv);
 186 +         } else {
 187 +           if (enforce > 0) {
 188 +             /* SELinux in enforcing mode but load_policy failed */
 189 +             /* At this point, we probably can't open /dev/console, so initlog() won't work */
 190 +                   fprintf(stderr,"Enforcing mode requested but no policy loaded. Halting now.\n");
 191 +             exit(1);
 192 +           }
 193 +         }
 194 +       }
 195 +
 196         /* Start booting. */
 197         argv0 = argv[0];
 198         argv[1] = NULL;
 199 --- sysvinit-2.85/src/sulogin.c.orig    2004-07-15 21:46:46.585783085 +0000
 200 +++ sysvinit-2.85/src/sulogin.c 2004-07-15 21:49:43.413905919 +0000
 201 @@ -29,6 +29,10 @@
 202  #endif
 203  #include "md5.h"
 204  #include "blowfish.h"
 205 +#ifdef WITH_SELINUX
 206 +#include <selinux/selinux.h>
 207 +#include <selinux/get_context_list.h>
 208 +#endif
 209
 210  #define CHECK_DES      1
 211  #define CHECK_MD5      1
 212 @@ -358,6 +362,16 @@
 213         signal(SIGINT, SIG_DFL);
 214         signal(SIGTSTP, SIG_DFL);
 215         signal(SIGQUIT, SIG_DFL);
 216 +#ifdef WITH_SELINUX
 217 +       if (is_selinux_enabled > 0) {
 218 +         security_context_t* contextlist=NULL;
 219 +         if (get_ordered_context_list("root", 0, &contextlist) > 0) {
 220 +           if (setexeccon(contextlist[0]) != 0)
 221 +             fprintf(stderr, "setexeccon failed\n");
 222 +           freeconary(contextlist);
 223 +         }
 224 +       }
 225 +#endif
 226         execl(sushell, shell, NULL);
 227         perror(sushell);
 228
 229 --- sysvinit-2.86/src/killall5.c.orig   2004-12-26 23:22:03.520344296 +0100
 230 +++ sysvinit-2.86/src/killall5.c        2004-12-26 23:27:39.693238248 +0100
 231 @@ -166,8 +166,11 @@
 232
 233  /*
 234   *     Read the proc filesystem.
 235 + *      since pidOf does not use process sid added a needSid flag to eliminate
 236 + *     the need of this privs for SELinux
 237 + *
 238   */
 239 -int readproc()
 240 +int readproc(int needSid)
 241  {
 242         DIR             *dir;
 243         FILE            *fp;
 244 @@ -252,6 +255,7 @@
 245                                         p->kernel = 1;
 246                         }
 247                         fclose(fp);
 248 +                       if (needSid) {
 249                         p->sid = getsid(pid);
 250                         if (p->sid < 0) {
 251                                 p->sid = 0;
 252 @@ -260,6 +264,9 @@
 253                                 free(p);
 254                                 continue;
 255                         }
 256 +                       } else {
 257 +                               p->sid = 0;
 258 +                       }
 259                 } else {
 260                         /* Process disappeared.. */
 261                         free(p);
 262 @@ -531,7 +538,7 @@
 263         argv += optind;
 264
 265         /* Print out process-ID's one by one. */
 266 -       readproc();
 267 +       readproc(0);
 268         for(f = 0; f < argc; f++) {
 269                 if ((q = pidof(argv[f])) != NULL) {
 270                         spid = 0;
 271 @@ -612,7 +619,7 @@
 272         sent_sigstop = 1;
 273
 274         /* Read /proc filesystem */
 275 -       if (readproc() < 0) {
 276 +       if (readproc(1) < 0) {
 277                 kill(-1, SIGCONT);
 278                 exit(1);
 279         }
 280 --- sysvinit-2.86/src/Makefile.orig     2004-12-26 23:22:03.472351592 +0100
 281 +++ sysvinit-2.86/src/Makefile  2004-12-26 23:28:26.488124344 +0100
 282 @@ -58,7 +58,7 @@
 283  all:           $(BIN) $(SBIN) $(USRBIN)
 284
 285  init:          init.o init_utmp.o
 286 -               $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o
 287 +               $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o -lsepol -lselinux
 288
 289  halt:          halt.o ifdown.o hddown.o utmp.o reboot.h
 290                 $(CC) $(LDFLAGS) -o $@ halt.o ifdown.o hddown.o utmp.o
 291 @@ -79,7 +79,7 @@
 292                 $(CC) $(LDFLAGS) -o $@ runlevel.o
 293
 294  sulogin:       sulogin.o md5_broken.o md5_crypt_broken.o arc4random.o bcrypt.o blowfish.o
 295 -               $(CC) $(LDFLAGS) $(STATIC) -o $@ $^ $(LCRYPT)
 296 +               $(CC) $(LDFLAGS) $(STATIC) -DWITH_SELINUX -o $@ $^ $(LCRYPT) -lselinux
 297
 298  wall:          dowall.o wall.o
 299                 $(CC) $(LDFLAGS) -o $@ dowall.o wall.o
 300 @@ -90,8 +90,11 @@
 301  bootlogd:      bootlogd.o
 302                 $(CC) $(LDFLAGS) -o $@ bootlogd.o -lutil
 303
 304 +sulogin.o:     sulogin.c
 305 +               $(CC) -c $(CFLAGS) -DWITH_SELINUX sulogin.c
 306 +
 307  init.o:                init.c init.h set.h reboot.h initreq.h
 308 -               $(CC) -c $(CFLAGS) init.c
 309 +               $(CC) -c $(CFLAGS) -DWITH_SELINUX init.c
 310
 311  utmp.o:                utmp.c init.h
 312                 $(CC) -c $(CFLAGS) utmp.c