- logrotate is optional, but mingetty is required by provided inittab to access machine

[packages/SysVinit.git] / sysvinit-selinux.patch

--- sysvinit-2.85/src/init.c.selinux    2004-06-09 15:28:47.478406720 -0400
+++ sysvinit-2.85/src/init.c    2004-06-09 15:29:03.208015456 -0400
@@ -48,6 +48,10 @@
 #include <stdarg.h>
 #include <sys/syslog.h>
 #include <sys/time.h>
+#include <sys/mman.h>
+#include <selinux/selinux.h>
+#include <sys/mount.h>
+
 
 #ifdef __i386__
 #  if (__GLIBC__ >= 2)
@@ -103,6 +107,7 @@
 int dfl_level = 0;             /* Default runlevel */
 sig_atomic_t got_cont = 0;     /* Set if we received the SIGCONT signal */
 sig_atomic_t got_signals;      /* Set if we received a signal. */
+int enforcing = -1;            /* SELinux enforcing mode */
 int emerg_shell = 0;           /* Start emergency shell? */
 int wrote_wtmp_reboot = 1;     /* Set when we wrote the reboot record */
 int wrote_utmp_reboot = 1;     /* Set when we wrote the reboot record */
@@ -187,6 +192,130 @@
        {NULL,0}
 };
 
+/* Mount point for selinuxfs. */
+#define SELINUXMNT "/selinux/"
+
+static int load_policy(int *enforce) 
+{
+       int fd=-1,ret=-1;
+       int rc=0;
+       struct stat sb;
+       void *map;
+       char policy_file[PATH_MAX];
+       int policy_version=0;
+       extern char *selinux_mnt;
+       FILE *cfg;
+       char buf[4096];
+       int seconfig = -2;
+       
+       selinux_getenforcemode(&seconfig);
+
+       mount("none", "/proc", "proc", 0, 0);
+       cfg = fopen("/proc/cmdline","r");
+       if (cfg) {
+               char *tmp;
+               if (fgets(buf,4096,cfg) && (tmp = strstr(buf,"enforcing="))) {
+                       if (tmp == buf || isspace(*(tmp-1))) {
+                               enforcing=atoi(tmp+10);
+                       }
+               }
+               fclose(cfg);
+       }
+#define MNT_DETACH 2
+       umount2("/proc",MNT_DETACH);
+       
+       if (enforcing >=0)
+               *enforce = enforcing;
+       else if (seconfig == 1)
+               *enforce = 1;
+       
+       if (mount("none", SELINUXMNT, "selinuxfs", 0, 0) < 0) {
+               if (errno == ENODEV) {
+                       log(L_VB, "SELinux not supported by kernel: %s\n",SELINUXMNT,strerror(errno));
+                       *enforce = 0;
+               } else {
+                       log(L_VB, "Failed to mount %s: %s\n",SELINUXMNT,strerror(errno));
+               }
+               return ret;
+       }
+
+       selinux_mnt = SELINUXMNT; /* set manually since we mounted it */
+
+       policy_version=security_policyvers();
+       if (policy_version < 0) {
+               log(L_VB,  "Can't get policy version: %s\n", strerror(errno));
+               goto UMOUNT;
+       }
+  
+       rc = security_getenforce();
+       if (rc < 0) {
+               log(L_VB,  "Can't get SELinux enforcement flag: %s\n", strerror(errno));
+               goto UMOUNT;
+       }
+       if (enforcing >= 0) {
+               *enforce = enforcing;
+       } else if (seconfig == -1) {
+               *enforce = 0;
+               rc = security_disable();
+               if (rc == 0) umount(SELINUXMNT);
+               if (rc < 0) {
+                       rc = security_setenforce(0);
+                       if (rc < 0) {
+                               log(L_VB, "Can't disable SELinux: %s\n", strerror(errno));
+                               goto UMOUNT;
+                       }
+               }
+               ret = 0;
+               goto UMOUNT;
+       } else if (seconfig >= 0) {
+               *enforce = seconfig;
+               rc = security_setenforce(seconfig);
+               if (rc < 0) {
+                       log(L_VB, "Can't set SELinux enforcement flag: %s\n", strerror(errno));
+                       goto UMOUNT;
+               }
+       }
+
+       snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version);
+       fd = open(policy_file, O_RDONLY);
+       if (fd < 0) {
+               /* Check previous version to see if old policy is available
+                */
+               snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version-1);
+               fd = open(policy_file, O_RDONLY);
+               if (fd < 0) {
+                       log(L_VB,  "Can't open '%s.%d':  %s\n",
+                           selinux_binary_policy_path(),policy_version,strerror(errno));
+                       goto UMOUNT;
+               }
+       }
+  
+       if (fstat(fd, &sb) < 0) {
+               log(L_VB, "Can't stat '%s':  %s\n",
+                   policy_file, strerror(errno));
+               goto UMOUNT;
+       }
+  
+       map = mmap(NULL, sb.st_size, PROT_READ, MAP_SHARED, fd, 0);
+       if (map == MAP_FAILED) {
+               log(L_VB,  "Can't map '%s':  %s\n",
+                   policy_file, strerror(errno));
+               goto UMOUNT;
+       }
+       log(L_VB, "Loading security policy\n");
+       ret=security_load_policy(map, sb.st_size);
+       if (ret < 0) {
+               log(L_VB, "security_load_policy failed\n");
+       }
+
+UMOUNT:
+       /*umount(SELINUXMNT); */
+       if ( fd >= 0) {
+               close(fd);
+       }
+       return(ret);
+}
+
 /*
  *     Sleep a number of seconds.
  *
@@ -2513,6 +2642,7 @@
        char                    *p;
        int                     f;
        int                     isinit;
+       int                     enforce = 0;
 
        /* Get my own name */
        if ((p = strrchr(argv[0], '/')) != NULL)
@@ -2576,6 +2706,20 @@
                maxproclen += strlen(argv[f]) + 1;
        }
 
+       if (getenv("SELINUX_INIT") == NULL) {
+         putenv("SELINUX_INIT=YES");
+         if (load_policy(&enforce) == 0 ) {
+           execv(myname, argv);
+         } else {
+           if (enforce > 0) {
+             /* SELinux in enforcing mode but load_policy failed */
+             /* At this point, we probably can't open /dev/console, so log() won't work */
+             printf("Enforcing mode requested but no policy loaded. Halting now.\n");
+             exit(1);
+           }
+         }
+       }
+  
        /* Start booting. */
        argv0 = argv[0];
        argv[1] = NULL;
--- sysvinit-2.85/src/sulogin.c.orig    2004-07-15 21:46:46.585783085 +0000
+++ sysvinit-2.85/src/sulogin.c 2004-07-15 21:49:43.413905919 +0000
@@ -29,6 +29,10 @@
 #endif
 #include "md5.h"
 #include "blowfish.h"
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/get_context_list.h>
+#endif
 
 #define CHECK_DES      1
 #define CHECK_MD5      1
@@ -358,6 +362,16 @@
        signal(SIGINT, SIG_DFL);
        signal(SIGTSTP, SIG_DFL);
        signal(SIGQUIT, SIG_DFL);
+#ifdef WITH_SELINUX
+       if (is_selinux_enabled > 0) {
+         security_context_t* contextlist=NULL;
+         if (get_ordered_context_list("root", 0, &contextlist) > 0) {
+           if (setexeccon(contextlist[0]) != 0) 
+             fprintf(stderr, "setexeccon faile\n");
+           freeconary(contextlist);
+         }
+       }
+#endif
        execl(sushell, shell, NULL);
        perror(sushell);
 
--- sysvinit-2.85/src/killall5.c.selinux        2004-06-09 15:28:47.362424352 -0400
+++ sysvinit-2.85/src/killall5.c        2004-06-09 15:28:47.525399576 -0400
@@ -144,8 +144,11 @@
 
 /*
  *     Read the proc filesystem.
+ *      since pidOf does not use process sid added a needSid flag to eliminate
+ *     the need of this privs for SELinux
+ *
  */
-int readproc()
+int readproc(int needSid)
 {
        DIR *dir;
        struct dirent *d;
@@ -221,12 +224,16 @@
                        free(p);
                        continue;
                }
-               p->sid = getsid(pid);
-               if (p->sid < 0) {
-                       p->sid = 0;
-                       nsyslog(LOG_ERR, "can't read sid for pid %d\n", pid);
-                       free(p);
-                       continue;
+               if (needSid) {
+                 p->sid = getsid(pid);
+                 if (p->sid < 0) {
+                   p->sid = 0;
+                   nsyslog(LOG_ERR, "can't read sid for pid %d\n", pid);
+                   free(p);
+                   continue;
+                 }
+               } else {
+                   p->sid = 0;
                }
 
                /* Now read argv[0] */
@@ -463,7 +470,7 @@
        argv += optind;
 
        /* Print out process-ID's one by one. */
-       readproc();
+       readproc(0);
        for(f = 0; f < argc; f++) {
                if ((q = pidof(argv[f])) != NULL) {
                        spid = 0;
@@ -544,7 +551,7 @@
        stopped = 1;
 
        /* Find out our own 'sid'. */
-       if (readproc() < 0) {
+       if (readproc(1) < 0) {
                kill(-1, SIGCONT);
                exit(1);
        }
--- sysvinit-2.85/src/Makefile.orig     2004-07-15 21:46:46.587736210 +0000
+++ sysvinit-2.85/src/Makefile  2004-07-15 21:50:39.413905233 +0000
@@ -36,7 +36,7 @@
 all:           $(PROGS)
 
 init:          init.o init_utmp.o
-               $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o
+               $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o -lselinux
 
 halt:          halt.o ifdown.o hddown.o utmp.o reboot.h
                $(CC) $(LDFLAGS) -o $@ halt.o ifdown.o hddown.o utmp.o
@@ -54,7 +54,7 @@
                $(CC) $(LDFLAGS) -o $@ runlevel.o
 
 sulogin:       sulogin.o md5_broken.o md5_crypt_broken.o arc4random.o bcrypt.o blowfish.o
-               $(CC) $(LDFLAGS) $(STATIC) -o $@ $^ $(LCRYPT)
+               $(CC) $(LDFLAGS) $(STATIC) -o $@ $^ $(LCRYPT) -lselinux
 
 wall:          dowall.o wall.o
                $(CC) $(LDFLAGS) -o $@ dowall.o wall.o
@@ -65,8 +65,11 @@
 bootlogd:      bootlogd.o
                $(CC) $(LDFLAGS) -o $@ bootlogd.o
 
+sulogin.o:     sulogin.c 
+               $(CC) -c $(CFLAGS) -DWITH_SELINUX sulogin.c
+
 init.o:                init.c init.h set.h reboot.h
-               $(CC) -c $(CFLAGS) init.c
+               $(CC) -c $(CFLAGS) -DWITH_SELINUX init.c
 
 utmp.o:                utmp.c init.h
                $(CC) -c $(CFLAGS) utmp.c