1 --- sysvinit-2.85/src/init.c.selinux 2004-06-09 15:28:47.478406720 -0400
2 +++ sysvinit-2.85/src/init.c 2004-06-09 15:29:03.208015456 -0400
5 #include <sys/syslog.h>
8 +#include <selinux/selinux.h>
9 +#include <sys/mount.h>
15 int dfl_level = 0; /* Default runlevel */
16 sig_atomic_t got_cont = 0; /* Set if we received the SIGCONT signal */
17 sig_atomic_t got_signals; /* Set if we received a signal. */
18 +int enforcing = -1; /* SELinux enforcing mode */
19 int emerg_shell = 0; /* Start emergency shell? */
20 int wrote_wtmp_reboot = 1; /* Set when we wrote the reboot record */
21 int wrote_utmp_reboot = 1; /* Set when we wrote the reboot record */
26 +/* Mount point for selinuxfs. */
27 +#define SELINUXMNT "/selinux/"
29 +static int load_policy(int *enforce)
35 + char policy_file[PATH_MAX];
36 + int policy_version=0;
37 + extern char *selinux_mnt;
42 + selinux_getenforcemode(&seconfig);
44 + mount("none", "/proc", "proc", 0, 0);
45 + cfg = fopen("/proc/cmdline","r");
48 + if (fgets(buf,4096,cfg) && (tmp = strstr(buf,"enforcing="))) {
49 + if (tmp == buf || isspace(*(tmp-1))) {
50 + enforcing=atoi(tmp+10);
56 + umount2("/proc",MNT_DETACH);
59 + *enforce = enforcing;
60 + else if (seconfig == 1)
63 + if (mount("none", SELINUXMNT, "selinuxfs", 0, 0) < 0) {
64 + if (errno == ENODEV) {
65 + log(L_VB, "SELinux not supported by kernel: %s\n",SELINUXMNT,strerror(errno));
68 + log(L_VB, "Failed to mount %s: %s\n",SELINUXMNT,strerror(errno));
73 + selinux_mnt = SELINUXMNT; /* set manually since we mounted it */
75 + policy_version=security_policyvers();
76 + if (policy_version < 0) {
77 + log(L_VB, "Can't get policy version: %s\n", strerror(errno));
81 + rc = security_getenforce();
83 + log(L_VB, "Can't get SELinux enforcement flag: %s\n", strerror(errno));
86 + if (enforcing >= 0) {
87 + *enforce = enforcing;
88 + } else if (seconfig == -1) {
90 + rc = security_disable();
91 + if (rc == 0) umount(SELINUXMNT);
93 + rc = security_setenforce(0);
95 + log(L_VB, "Can't disable SELinux: %s\n", strerror(errno));
101 + } else if (seconfig >= 0) {
102 + *enforce = seconfig;
103 + rc = security_setenforce(seconfig);
105 + log(L_VB, "Can't set SELinux enforcement flag: %s\n", strerror(errno));
110 + snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version);
111 + fd = open(policy_file, O_RDONLY);
113 + /* Check previous version to see if old policy is available
115 + snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version-1);
116 + fd = open(policy_file, O_RDONLY);
118 + log(L_VB, "Can't open '%s.%d': %s\n",
119 + selinux_binary_policy_path(),policy_version,strerror(errno));
124 + if (fstat(fd, &sb) < 0) {
125 + log(L_VB, "Can't stat '%s': %s\n",
126 + policy_file, strerror(errno));
130 + map = mmap(NULL, sb.st_size, PROT_READ, MAP_SHARED, fd, 0);
131 + if (map == MAP_FAILED) {
132 + log(L_VB, "Can't map '%s': %s\n",
133 + policy_file, strerror(errno));
136 + log(L_VB, "Loading security policy\n");
137 + ret=security_load_policy(map, sb.st_size);
139 + log(L_VB, "security_load_policy failed\n");
143 + /*umount(SELINUXMNT); */
151 * Sleep a number of seconds.
153 @@ -2513,6 +2642,7 @@
159 /* Get my own name */
160 if ((p = strrchr(argv[0], '/')) != NULL)
161 @@ -2576,6 +2706,20 @@
162 maxproclen += strlen(argv[f]) + 1;
165 + if (getenv("SELINUX_INIT") == NULL) {
166 + putenv("SELINUX_INIT=YES");
167 + if (load_policy(&enforce) == 0 ) {
168 + execv(myname, argv);
171 + /* SELinux in enforcing mode but load_policy failed */
172 + /* At this point, we probably can't open /dev/console, so log() won't work */
173 + printf("Enforcing mode requested but no policy loaded. Halting now.\n");
182 --- sysvinit-2.85/src/sulogin.c.orig 2004-07-15 21:46:46.585783085 +0000
183 +++ sysvinit-2.85/src/sulogin.c 2004-07-15 21:49:43.413905919 +0000
187 #include "blowfish.h"
189 +#include <selinux/selinux.h>
190 +#include <selinux/get_context_list.h>
196 signal(SIGINT, SIG_DFL);
197 signal(SIGTSTP, SIG_DFL);
198 signal(SIGQUIT, SIG_DFL);
200 + if (is_selinux_enabled > 0) {
201 + security_context_t* contextlist=NULL;
202 + if (get_ordered_context_list("root", 0, &contextlist) > 0) {
203 + if (setexeccon(contextlist[0]) != 0)
204 + fprintf(stderr, "setexeccon faile\n");
205 + freeconary(contextlist);
209 execl(sushell, shell, NULL);
212 --- sysvinit-2.85/src/killall5.c.selinux 2004-06-09 15:28:47.362424352 -0400
213 +++ sysvinit-2.85/src/killall5.c 2004-06-09 15:28:47.525399576 -0400
217 * Read the proc filesystem.
218 + * since pidOf does not use process sid added a needSid flag to eliminate
219 + * the need of this privs for SELinux
223 +int readproc(int needSid)
227 @@ -221,12 +224,16 @@
231 - p->sid = getsid(pid);
234 - nsyslog(LOG_ERR, "can't read sid for pid %d\n", pid);
238 + p->sid = getsid(pid);
241 + nsyslog(LOG_ERR, "can't read sid for pid %d\n", pid);
249 /* Now read argv[0] */
253 /* Print out process-ID's one by one. */
256 for(f = 0; f < argc; f++) {
257 if ((q = pidof(argv[f])) != NULL) {
262 /* Find out our own 'sid'. */
263 - if (readproc() < 0) {
264 + if (readproc(1) < 0) {
268 --- sysvinit-2.85/src/Makefile.orig 2004-07-15 21:46:46.587736210 +0000
269 +++ sysvinit-2.85/src/Makefile 2004-07-15 21:50:39.413905233 +0000
273 init: init.o init_utmp.o
274 - $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o
275 + $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o -lselinux
277 halt: halt.o ifdown.o hddown.o utmp.o reboot.h
278 $(CC) $(LDFLAGS) -o $@ halt.o ifdown.o hddown.o utmp.o
280 $(CC) $(LDFLAGS) -o $@ runlevel.o
282 sulogin: sulogin.o md5_broken.o md5_crypt_broken.o arc4random.o bcrypt.o blowfish.o
283 - $(CC) $(LDFLAGS) $(STATIC) -o $@ $^ $(LCRYPT)
284 + $(CC) $(LDFLAGS) $(STATIC) -o $@ $^ $(LCRYPT) -lselinux
286 wall: dowall.o wall.o
287 $(CC) $(LDFLAGS) -o $@ dowall.o wall.o
290 $(CC) $(LDFLAGS) -o $@ bootlogd.o
292 +sulogin.o: sulogin.c
293 + $(CC) -c $(CFLAGS) -DWITH_SELINUX sulogin.c
295 init.o: init.c init.h set.h reboot.h
296 - $(CC) -c $(CFLAGS) init.c
297 + $(CC) -c $(CFLAGS) -DWITH_SELINUX init.c
299 utmp.o: utmp.c init.h
300 $(CC) -c $(CFLAGS) utmp.c