- new patches

[packages/SysVinit.git] / sysvinit-selinux.patch

--- sysvinit-2.85/src/Makefile.selinux  2003-12-18 10:59:15.000000000 -0500
+++ sysvinit-2.85/src/Makefile  2003-12-18 10:59:15.000000000 -0500
@@ -32,7 +32,7 @@
 all:           $(PROGS)
 
 init:          init.o init_utmp.o
-               $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o
+               $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o -lselinux
 
 halt:          halt.o ifdown.o hddown.o utmp.o reboot.h
                $(CC) $(LDFLAGS) -o $@ halt.o ifdown.o hddown.o utmp.o
@@ -62,7 +62,7 @@
                $(CC) $(LDFLAGS) -o $@ bootlogd.o
 
 init.o:                init.c init.h set.h reboot.h
-               $(CC) -c $(CFLAGS) init.c
+               $(CC) -c $(CFLAGS) -DWITH_SELINUX init.c
 
 utmp.o:                utmp.c init.h
                $(CC) -c $(CFLAGS) utmp.c
--- sysvinit-2.85/src/init.c.selinux    2003-12-18 10:59:15.000000000 -0500
+++ sysvinit-2.85/src/init.c    2003-12-18 11:01:06.000000000 -0500
@@ -78,6 +78,81 @@
                        sigemptyset(&sa.sa_mask); \
                        sigaction(sig, &sa, NULL); \
                } while(0)
+#ifdef WITH_SELINUX
+#include <sys/mman.h>
+#include <selinux/selinux.h>
+#include <sys/mount.h>
+
+static int load_policy(int *enforce) 
+{
+  int fd=-1,ret=-1;
+  int rc=0;
+  struct stat sb;
+  void *map;
+  char policy_file[PATH_MAX];
+  int policy_version=0;
+  extern char *selinux_mnt;
+
+  log(L_VB, "Loading security policy\n");
+  if (mount("none", SELINUXMNT, "selinuxfs", 0, 0) < 0) {
+    if (errno == ENODEV) {
+      log(L_VB, "SELinux not supported by kernel: %s\n",SELINUXMNT,strerror(errno));
+    } 
+    else {
+      log(L_VB, "Failed to mount %s: %s\n",SELINUXMNT,strerror(errno));
+      return ret;
+    }
+    return ret; /* Never gets here */
+  }
+
+  selinux_mnt = SELINUXMNT; /* set manually since we mounted it */
+
+  policy_version=security_policyvers();
+  if (policy_version < 0) {
+    log(L_VB,  "Can't get policy version: %s\n", strerror(errno));
+    goto UMOUNT;
+  }
+  
+  rc=security_getenforce();
+  if (rc < 0) {
+    log(L_VB,  "Can't get SELinux enforcement flag: %s\n", strerror(errno));
+    goto UMOUNT;
+  } 
+  *enforce=rc;
+
+  snprintf(policy_file,sizeof(policy_file),"%s.%d",SELINUXPOLICY,policy_version);
+  fd = open(policy_file, O_RDONLY);
+  if (fd < 0) {
+    log(L_VB,  "Can't open '%s':  %s\n",
+           policy_file, strerror(errno));
+    goto UMOUNT;
+  }
+  
+  if (fstat(fd, &sb) < 0) {
+    log(L_VB, "Can't stat '%s':  %s\n",
+           policy_file, strerror(errno));
+    goto UMOUNT;
+  }
+  
+  map = mmap(NULL, sb.st_size, PROT_READ, MAP_SHARED, fd, 0);
+  if (map == MAP_FAILED) {
+    log(L_VB,  "Can't map '%s':  %s\n",
+           policy_file, strerror(errno));
+    goto UMOUNT;
+  }
+  ret=security_load_policy(map, sb.st_size);
+  if (ret < 0) {
+    log(L_VB, "security_load_policy failed\n");
+  }
+
+ UMOUNT:
+  /*umount(SELINUXMNT); */
+  if ( fd >= 0) {
+    close(fd);
+  }
+  return(ret);
+}
+#endif
 
 /* Version information */
 char *Version = "@(#) init " VERSION "  " DATE "  miquels@cistron.nl";
@@ -2576,6 +2651,20 @@
                maxproclen += strlen(argv[f]) + 1;
        }
 
+#ifdef WITH_SELINUX
+       if (getenv("SELINUX_INIT") == NULL) {
+         putenv("SELINUX_INIT=YES");
+         int enforce=0;
+         if (load_policy(&enforce) == 0 ) {
+           execv(myname, argv);
+         } else {
+           if (enforce) 
+             /* SELinux in enforcing mode but load_policy failed */
+             exit(1);
+         }
+       }
+#endif
+  
        /* Start booting. */
        argv0 = argv[0];
        argv[1] = NULL;
--- sysvinit-2.85/src/killall5.c.selinux        2003-12-18 10:59:15.000000000 -0500
+++ sysvinit-2.85/src/killall5.c        2003-12-22 17:25:56.959018239 -0500
@@ -144,8 +144,11 @@
 
 /*
  *     Read the proc filesystem.
+ *      since pidOf does not use process sid added a needSid flag to eliminate
+ *     the need of this privs for SELinux
+ *
  */
-int readproc()
+int readproc(int needSid)
 {
        DIR *dir;
        struct dirent *d;
@@ -221,12 +224,16 @@
                        free(p);
                        continue;
                }
-               p->sid = getsid(pid);
-               if (p->sid < 0) {
-                       p->sid = 0;
-                       nsyslog(LOG_ERR, "can't read sid for pid %d\n", pid);
-                       free(p);
-                       continue;
+               if (needSid) {
+                 p->sid = getsid(pid);
+                 if (p->sid < 0) {
+                   p->sid = 0;
+                   nsyslog(LOG_ERR, "can't read sid for pid %d\n", pid);
+                   free(p);
+                   continue;
+                 }
+               } else {
+                   p->sid = 0;
                }
 
                /* Now read argv[0] */
@@ -463,7 +470,7 @@
        argv += optind;
 
        /* Print out process-ID's one by one. */
-       readproc();
+       readproc(0);
        for(f = 0; f < argc; f++) {
                if ((q = pidof(argv[f])) != NULL) {
                        spid = 0;
@@ -544,7 +551,7 @@
        stopped = 1;
 
        /* Find out our own 'sid'. */
-       if (readproc() < 0) {
+       if (readproc(1) < 0) {
                kill(-1, SIGCONT);
                exit(1);
        }