1 --- sysvinit-2.85/src/init.c.selinux 2004-08-11 17:48:23.000000000 -0400
2 +++ sysvinit-2.85/src/init.c 2004-08-12 06:25:30.166271148 -0400
5 #include <sys/syslog.h>
8 +#include <selinux/selinux.h>
9 +#include <sepol/sepol.h>
10 +#include <sys/mount.h>
16 int dfl_level = 0; /* Default runlevel */
17 sig_atomic_t got_cont = 0; /* Set if we received the SIGCONT signal */
18 sig_atomic_t got_signals; /* Set if we received a signal. */
19 +int enforcing = -1; /* SELinux enforcing mode */
20 int emerg_shell = 0; /* Start emergency shell? */
21 int wrote_wtmp_reboot = 1; /* Set when we wrote the reboot record */
22 int wrote_utmp_reboot = 1; /* Set when we wrote the reboot record */
27 +/* Mount point for selinuxfs. */
28 +#define SELINUXMNT "/selinux/"
30 +static int load_policy(int *enforce)
33 + int rc=0, orig_enforce;
36 + char policy_file[PATH_MAX];
37 + int policy_version=0;
42 + selinux_getenforcemode(&seconfig);
44 + mount("none", "/proc", "proc", 0, 0);
45 + cfg = fopen("/proc/cmdline","r");
48 + if (fgets(buf,4096,cfg) && (tmp = strstr(buf,"enforcing="))) {
49 + if (tmp == buf || isspace(*(tmp-1))) {
50 + enforcing=atoi(tmp+10);
56 + umount2("/proc",MNT_DETACH);
59 + *enforce = enforcing;
60 + else if (seconfig == 1)
63 + if (mount("none", SELINUXMNT, "selinuxfs", 0, 0) < 0) {
64 + if (errno == ENODEV) {
65 + initlog(L_VB, "SELinux not supported by kernel: %s\n",strerror(errno));
68 + initlog(L_VB, "Failed to mount %s: %s\n",SELINUXMNT,strerror(errno));
73 + set_selinuxmnt(SELINUXMNT); /* set manually since we mounted it */
75 + policy_version=security_policyvers();
76 + if (policy_version < 0) {
77 + initlog(L_VB, "Can't get policy version: %s\n", strerror(errno));
81 + orig_enforce = rc = security_getenforce();
83 + initlog(L_VB, "Can't get SELinux enforcement flag: %s\n", strerror(errno));
86 + if (enforcing >= 0) {
87 + *enforce = enforcing;
88 + } else if (seconfig == -1) {
90 + rc = security_disable();
91 + if (rc == 0) umount(SELINUXMNT);
93 + rc = security_setenforce(0);
95 + initlog(L_VB, "Can't disable SELinux: %s\n", strerror(errno));
101 + } else if (seconfig >= 0) {
102 + *enforce = seconfig;
103 + if (orig_enforce != *enforce) {
104 + rc = security_setenforce(seconfig);
106 + initlog(L_VB, "Can't set SELinux enforcement flag: %s\n", strerror(errno));
112 + snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version);
113 + fd = open(policy_file, O_RDONLY);
115 + /* Check previous version to see if old policy is available
117 + snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version-1);
118 + fd = open(policy_file, O_RDONLY);
120 + initlog(L_VB, "Can't open '%s.%d': %s\n",
121 + selinux_binary_policy_path(),policy_version,strerror(errno));
126 + if (fstat(fd, &sb) < 0) {
127 + initlog(L_VB, "Can't stat '%s': %s\n",
128 + policy_file, strerror(errno));
132 + map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
133 + if (map == MAP_FAILED) {
134 + initlog(L_VB, "Can't map '%s': %s\n",
135 + policy_file, strerror(errno));
140 + /* Set booleans based on a booleans configuration file. */
141 + ret = sepol_genbools(map, sb.st_size, selinux_booleans_path());
143 + if (errno == ENOENT || errno == EINVAL) {
144 + /* No booleans file or stale booleans in the file; non-fatal. */
145 + initlog(L_VB,"Warning! Error while setting booleans: %s\n"
146 + , strerror(errno));
148 + initlog(L_VB,"Error while setting booleans: %s\n",
153 + initlog(L_VB, "Loading security policy\n");
154 + ret=security_load_policy(map, sb.st_size);
156 + initlog(L_VB, "security_load_policy failed\n");
160 + /*umount(SELINUXMNT); */
168 * Sleep a number of seconds.
170 @@ -2513,6 +2658,7 @@
176 /* Get my own name */
177 if ((p = strrchr(argv[0], '/')) != NULL)
178 @@ -2576,6 +2722,20 @@
179 maxproclen += strlen(argv[f]) + 1;
182 + if (getenv("SELINUX_INIT") == NULL) {
183 + putenv("SELINUX_INIT=YES");
184 + if (load_policy(&enforce) == 0 ) {
185 + execv(myname, argv);
188 + /* SELinux in enforcing mode but load_policy failed */
189 + /* At this point, we probably can't open /dev/console, so initlog() won't work */
190 + fprintf(stderr,"Enforcing mode requested but no policy loaded. Halting now.\n");
199 --- sysvinit-2.85/src/sulogin.c.orig 2004-07-15 21:46:46.585783085 +0000
200 +++ sysvinit-2.85/src/sulogin.c 2004-07-15 21:49:43.413905919 +0000
204 #include "blowfish.h"
206 +#include <selinux/selinux.h>
207 +#include <selinux/get_context_list.h>
213 signal(SIGINT, SIG_DFL);
214 signal(SIGTSTP, SIG_DFL);
215 signal(SIGQUIT, SIG_DFL);
217 + if (is_selinux_enabled > 0) {
218 + security_context_t* contextlist=NULL;
219 + if (get_ordered_context_list("root", 0, &contextlist) > 0) {
220 + if (setexeccon(contextlist[0]) != 0)
221 + fprintf(stderr, "setexeccon failed\n");
222 + freeconary(contextlist);
226 execl(sushell, shell, NULL);
229 --- sysvinit-2.86/src/killall5.c.orig 2004-12-26 23:22:03.520344296 +0100
230 +++ sysvinit-2.86/src/killall5.c 2004-12-26 23:27:39.693238248 +0100
234 * Read the proc filesystem.
235 + * since pidOf does not use process sid added a needSid flag to eliminate
236 + * the need of this privs for SELinux
240 +int readproc(int needSid)
249 p->sid = getsid(pid);
260 /* Process disappeared.. */
265 /* Print out process-ID's one by one. */
268 for(f = 0; f < argc; f++) {
269 if ((q = pidof(argv[f])) != NULL) {
274 /* Read /proc filesystem */
275 - if (readproc() < 0) {
276 + if (readproc(1) < 0) {
280 --- sysvinit-2.86/src/Makefile.orig 2004-12-26 23:22:03.472351592 +0100
281 +++ sysvinit-2.86/src/Makefile 2004-12-26 23:28:26.488124344 +0100
283 all: $(BIN) $(SBIN) $(USRBIN)
285 init: init.o init_utmp.o
286 - $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o
287 + $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o -lsepol -lselinux
289 halt: halt.o ifdown.o hddown.o utmp.o reboot.h
290 $(CC) $(LDFLAGS) -o $@ halt.o ifdown.o hddown.o utmp.o
292 $(CC) $(LDFLAGS) -o $@ runlevel.o
294 sulogin: sulogin.o md5_broken.o md5_crypt_broken.o arc4random.o bcrypt.o blowfish.o
295 - $(CC) $(LDFLAGS) $(STATIC) -o $@ $^ $(LCRYPT)
296 + $(CC) $(LDFLAGS) $(STATIC) -DWITH_SELINUX -o $@ $^ $(LCRYPT) -lselinux
298 wall: dowall.o wall.o
299 $(CC) $(LDFLAGS) -o $@ dowall.o wall.o
302 $(CC) $(LDFLAGS) -o $@ bootlogd.o -lutil
304 +sulogin.o: sulogin.c
305 + $(CC) -c $(CFLAGS) -DWITH_SELINUX sulogin.c
307 init.o: init.c init.h set.h reboot.h initreq.h
308 - $(CC) -c $(CFLAGS) init.c
309 + $(CC) -c $(CFLAGS) -DWITH_SELINUX init.c
311 utmp.o: utmp.c init.h
312 $(CC) -c $(CFLAGS) utmp.c