[packages/SysVinit.git] / sysvinit-selinux.patch

diff -urN sysvinit-2.86.org/src/init.c sysvinit-2.86/src/init.c
--- sysvinit-2.86.org/src/init.c	2004-07-30 14:16:20.000000000 +0200
+++ sysvinit-2.86/src/init.c	2005-08-16 18:46:21.493714904 +0200
@@ -42,6 +42,11 @@
 #include <stdarg.h>
 #include <sys/syslog.h>
 #include <sys/time.h>
+#include <sys/mman.h>
+#include <selinux/selinux.h>
+#include <sepol/sepol.h>
+#include <sys/mount.h>
+
 
 #ifdef __i386__
 #  if (__GLIBC__ >= 2)
@@ -104,6 +109,7 @@
 int dfl_level = 0;		/* Default runlevel */
 sig_atomic_t got_cont = 0;	/* Set if we received the SIGCONT signal */
 sig_atomic_t got_signals;	/* Set if we received a signal. */
+int enforcing = -1;		/* SELinux enforcing mode */
 int emerg_shell = 0;		/* Start emergency shell? */
 int wrote_wtmp_reboot = 1;	/* Set when we wrote the reboot record */
 int wrote_utmp_reboot = 1;	/* Set when we wrote the reboot record */
@@ -192,6 +198,146 @@
 char *extra_env[NR_EXTRA_ENV];
 
 
+/* Mount point for selinuxfs. */
+#define SELINUXMNT "/selinux/"
+
+static int load_policy(int *enforce) 
+{
+	int fd=-1,ret=-1;
+	int rc=0, orig_enforce;
+	struct stat sb;
+	void *map;
+	char policy_file[PATH_MAX];
+	int policy_version=0;
+	FILE *cfg;
+	char buf[4096];
+	int seconfig = -2;
+	
+	selinux_getenforcemode(&seconfig);
+
+	mount("none", "/proc", "proc", 0, 0);
+	cfg = fopen("/proc/cmdline","r");
+	if (cfg) {
+		char *tmp;
+		if (fgets(buf,4096,cfg) && (tmp = strstr(buf,"enforcing="))) {
+			if (tmp == buf || isspace(*(tmp-1))) {
+				enforcing=atoi(tmp+10);
+			}
+		}
+		fclose(cfg);
+	}
+#define MNT_DETACH 2
+	umount2("/proc",MNT_DETACH);
+	
+	if (enforcing >=0)
+		*enforce = enforcing;
+	else if (seconfig == 1)
+		*enforce = 1;
+	
+	if (mount("none", SELINUXMNT, "selinuxfs", 0, 0) < 0) {
+		if (errno == ENODEV) {
+			log(L_VB, "SELinux not supported by kernel: %s\n",SELINUXMNT,strerror(errno));
+			*enforce = 0;
+		} else {
+			log(L_VB, "Failed to mount %s: %s\n",SELINUXMNT,strerror(errno));
+		}
+		return ret;
+	}
+
+	set_selinuxmnt(SELINUXMNT); /* set manually since we mounted it */
+
+	policy_version=security_policyvers();
+	if (policy_version < 0) {
+		log(L_VB,  "Can't get policy version: %s\n", strerror(errno));
+		goto UMOUNT;
+	}
+  
+	orig_enforce = rc = security_getenforce();
+	if (rc < 0) {
+		log(L_VB,  "Can't get SELinux enforcement flag: %s\n", strerror(errno));
+		goto UMOUNT;
+	}
+	if (enforcing >= 0) {
+		*enforce = enforcing;
+	} else if (seconfig == -1) {
+		*enforce = 0;
+		rc = security_disable();
+		if (rc == 0) umount(SELINUXMNT);
+		if (rc < 0) {
+			rc = security_setenforce(0);
+			if (rc < 0) {
+				log(L_VB, "Can't disable SELinux: %s\n", strerror(errno));
+				goto UMOUNT;
+			}
+		}
+		ret = 0;
+		goto UMOUNT;
+	} else if (seconfig >= 0) {
+		*enforce = seconfig;
+		if (orig_enforce != *enforce) {
+			rc = security_setenforce(seconfig);
+			if (rc < 0) {
+				log(L_VB, "Can't set SELinux enforcement flag: %s\n", strerror(errno));
+				goto UMOUNT;
+			}
+		}
+	}
+
+	snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version);
+	fd = open(policy_file, O_RDONLY);
+	if (fd < 0) {
+		/* Check previous version to see if old policy is available
+		 */
+		snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version-1);
+		fd = open(policy_file, O_RDONLY);
+		if (fd < 0) {
+			log(L_VB,  "Can't open '%s.%d':  %s\n",
+			    selinux_binary_policy_path(),policy_version,strerror(errno));
+			goto UMOUNT;
+		}
+	}
+  
+	if (fstat(fd, &sb) < 0) {
+		log(L_VB, "Can't stat '%s':  %s\n",
+		    policy_file, strerror(errno));
+		goto UMOUNT;
+	}
+  
+	map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
+	if (map == MAP_FAILED) {
+		log(L_VB,  "Can't map '%s':  %s\n",
+		    policy_file, strerror(errno));
+		goto UMOUNT;
+	}
+
+
+	/* Set booleans based on a booleans configuration file. */
+	ret = sepol_genbools(map, sb.st_size, selinux_booleans_path());
+	if (ret < 0) {
+		if (errno == ENOENT || errno == EINVAL) {
+			/* No booleans file or stale booleans in the file; non-fatal. */
+			log(L_VB,"Warning!  Error while setting booleans:  %s\n"
+			    , strerror(errno));
+		} else {
+			log(L_VB,"Error while setting booleans:  %s\n", 
+			    strerror(errno));
+			goto UMOUNT;
+		}
+	}
+	log(L_VB, "Loading security policy\n");
+	ret=security_load_policy(map, sb.st_size);
+	if (ret < 0) {
+		log(L_VB, "security_load_policy failed\n");
+	}
+
+UMOUNT:
+	/*umount(SELINUXMNT); */
+	if ( fd >= 0) {
+		close(fd);
+	}
+	return(ret);
+}
+
 /*
  *	Sleep a number of seconds.
  *
@@ -2599,6 +2745,7 @@
 	char			*p;
 	int			f;
 	int			isinit;
+	int			enforce = 0;
 
 	/* Get my own name */
 	if ((p = strrchr(argv[0], '/')) != NULL)
@@ -2662,6 +2809,20 @@
 		maxproclen += strlen(argv[f]) + 1;
 	}
 
+  	if (getenv("SELINUX_INIT") == NULL) {
+	  putenv("SELINUX_INIT=YES");
+	  if (load_policy(&enforce) == 0 ) {
+	    execv(myname, argv);
+	  } else {
+	    if (enforce > 0) {
+	      /* SELinux in enforcing mode but load_policy failed */
+	      /* At this point, we probably can't open /dev/console, so log() won't work */
+		    fprintf(stderr,"Enforcing mode requested but no policy loaded. Halting now.\n");
+	      exit(1);
+	    }
+	  }
+	}
+  
 	/* Start booting. */
 	argv0 = argv[0];
 	argv[1] = NULL;
diff -urN sysvinit-2.86.org/src/killall5.c sysvinit-2.86/src/killall5.c
--- sysvinit-2.86.org/src/killall5.c	2005-08-16 18:45:33.280044000 +0200
+++ sysvinit-2.86/src/killall5.c	2005-08-16 18:49:39.851559928 +0200
@@ -166,8 +166,11 @@
 
 /*
  *	Read the proc filesystem.
+ *      since pidOf does not use process sid added a needSid flag to eliminate
+ *	the need of this privs for SELinux
+ *
  */
-int readproc()
+int readproc(int needSid)
 {
 	DIR		*dir;
 	FILE		*fp;
@@ -252,13 +255,17 @@
 					p->kernel = 1;
 			}
 			fclose(fp);
-			p->sid = getsid(pid);
-			if (p->sid < 0) {
+			if (needSid) {
+			    p->sid = getsid(pid);
+			    if (p->sid < 0) {
 				p->sid = 0;
 				nsyslog(LOG_ERR, "can't read sid for pid %d\n", pid);
 				free(p->statname);
 				free(p);
 				continue;
+			    }
+			} else {
+			    p->sid = 0;
 			}
 		} else {
 			/* Process disappeared.. */
@@ -531,7 +538,7 @@
 	argv += optind;
 
 	/* Print out process-ID's one by one. */
-	readproc();
+	readproc(0);
 	for(f = 0; f < argc; f++) {
 		if ((q = pidof(argv[f])) != NULL) {
 			spid = 0;
@@ -612,7 +619,7 @@
 	sent_sigstop = 1;
 
 	/* Read /proc filesystem */
-	if (readproc() < 0) {
+	if (readproc(1) < 0) {
 		kill(-1, SIGCONT);
 		exit(1);
 	}
diff -urN sysvinit-2.86.org/src/Makefile sysvinit-2.86/src/Makefile
--- sysvinit-2.86.org/src/Makefile	2005-08-16 18:45:33.271045000 +0200
+++ sysvinit-2.86/src/Makefile	2005-08-16 18:50:59.463457080 +0200
@@ -58,7 +58,7 @@
 all:		$(BIN) $(SBIN) $(USRBIN)
 
 init:		init.o init_utmp.o
-		$(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o
+		$(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o -lsepol -lselinux
 
 halt:		halt.o ifdown.o hddown.o utmp.o reboot.h
 		$(CC) $(LDFLAGS) -o $@ halt.o ifdown.o hddown.o utmp.o
@@ -79,7 +79,7 @@
 		$(CC) $(LDFLAGS) -o $@ runlevel.o
 
 sulogin:	sulogin.o md5_broken.o md5_crypt_broken.o arc4random.o bcrypt.o blowfish.o
-		$(CC) $(LDFLAGS) $(STATIC) -o $@ $^ $(LCRYPT)
+		$(CC) $(LDFLAGS) $(STATIC) -DWITH_SELINUX -o $@ $^ $(LCRYPT) -lselinux
 
 wall:		dowall.o wall.o
 		$(CC) $(LDFLAGS) -o $@ dowall.o wall.o
@@ -90,8 +90,11 @@
 bootlogd:	bootlogd.o
 		$(CC) $(LDFLAGS) -o $@ bootlogd.o -lutil
 
+sulogin.o:	sulogin.c
+		$(CC) -c $(CFLAGS) -DWITH_SELINUX sulogin.c
+	
 init.o:		init.c init.h set.h reboot.h initreq.h
-		$(CC) -c $(CFLAGS) init.c
+		$(CC) -c $(CFLAGS) -DWITH_SELINUX init.c
 
 utmp.o:		utmp.c init.h
 		$(CC) -c $(CFLAGS) utmp.c
diff -urN sysvinit-2.86.org/src/sulogin.c sysvinit-2.86/src/sulogin.c
--- sysvinit-2.86.org/src/sulogin.c	2005-08-16 18:45:33.274045000 +0200
+++ sysvinit-2.86/src/sulogin.c	2005-08-16 18:47:36.793267632 +0200
@@ -29,7 +29,10 @@
 #endif
 #include "md5.h"
 #include "blowfish.h"
-
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/get_context_list.h>
+#endif
 #define CHECK_DES	1
 #define CHECK_MD5	1
 #define CHECK_BLOWFISH	1
@@ -362,6 +365,16 @@
 	signal(SIGINT, SIG_DFL);
 	signal(SIGTSTP, SIG_DFL);
 	signal(SIGQUIT, SIG_DFL);
+#ifdef WITH_SELINUX
+	if (is_selinux_enabled > 0) {
+	  security_context_t* contextlist=NULL;
+	  if (get_ordered_context_list("root", 0, &contextlist) > 0) {
+	    if (setexeccon(contextlist[0]) != 0) 
+	      fprintf(stderr, "setexeccon faile\n");
+	    freeconary(contextlist);
+	  }
+	}
+#endif
 	execl(sushell, shell, NULL);
 	perror(sushell);
Commit	Line	Data
68a85958 AM	1	diff -urN sysvinit-2.86.org/src/init.c sysvinit-2.86/src/init.c
	2	--- sysvinit-2.86.org/src/init.c 2004-07-30 14:16:20.000000000 +0200
	3	+++ sysvinit-2.86/src/init.c 2005-08-16 18:46:21.493714904 +0200
	4	@@ -42,6 +42,11 @@
f31152bd JB	5	#include <stdarg.h>
	6	#include <sys/syslog.h>
	7	#include <sys/time.h>
437bcd41 AM	8	+#include <sys/mman.h>
437bcd41 AM	9	+#include <selinux/selinux.h>
ad6b8e9b	10	+#include <sepol/sepol.h>
437bcd41	11	+#include <sys/mount.h>
f31152bd JB	12	+
	13
	14	#ifdef __i386__
	15	# if (__GLIBC__ >= 2)
68a85958	16	@@ -104,6 +109,7 @@
f31152bd JB	17	int dfl_level = 0; /* Default runlevel */
	18	sig_atomic_t got_cont = 0; /* Set if we received the SIGCONT signal */
	19	sig_atomic_t got_signals; /* Set if we received a signal. */
	20	+int enforcing = -1; /* SELinux enforcing mode */
	21	int emerg_shell = 0; /* Start emergency shell? */
	22	int wrote_wtmp_reboot = 1; /* Set when we wrote the reboot record */
	23	int wrote_utmp_reboot = 1; /* Set when we wrote the reboot record */
68a85958 AM	24	@@ -192,6 +198,146 @@
	25	char *extra_env[NR_EXTRA_ENV];
	26
f31152bd JB	27
	28	+/* Mount point for selinuxfs. */
	29	+#define SELINUXMNT "/selinux/"
437bcd41 AM	30	+
	31	+static int load_policy(int *enforce)
	32	+{
f31152bd	33	+ int fd=-1,ret=-1;
ad6b8e9b	34	+ int rc=0, orig_enforce;
f31152bd JB	35	+ struct stat sb;
	36	+ void *map;
	37	+ char policy_file[PATH_MAX];
	38	+ int policy_version=0;
f31152bd JB	39	+ FILE *cfg;
	40	+ char buf[4096];
	41	+ int seconfig = -2;
	42	+
	43	+ selinux_getenforcemode(&seconfig);
437bcd41	44	+
f31152bd JB	45	+ mount("none", "/proc", "proc", 0, 0);
	46	+ cfg = fopen("/proc/cmdline","r");
	47	+ if (cfg) {
	48	+ char *tmp;
	49	+ if (fgets(buf,4096,cfg) && (tmp = strstr(buf,"enforcing="))) {
	50	+ if (tmp == buf \|\| isspace(*(tmp-1))) {
	51	+ enforcing=atoi(tmp+10);
	52	+ }
	53	+ }
	54	+ fclose(cfg);
	55	+ }
	56	+#define MNT_DETACH 2
	57	+ umount2("/proc",MNT_DETACH);
	58	+
	59	+ if (enforcing >=0)
	60	+ *enforce = enforcing;
	61	+ else if (seconfig == 1)
	62	+ *enforce = 1;
	63	+
	64	+ if (mount("none", SELINUXMNT, "selinuxfs", 0, 0) < 0) {
	65	+ if (errno == ENODEV) {
68a85958	66	+ log(L_VB, "SELinux not supported by kernel: %s\n",SELINUXMNT,strerror(errno));
f31152bd JB	67	+ *enforce = 0;
f31152bd JB	68	+ } else {
68a85958	69	+ log(L_VB, "Failed to mount %s: %s\n",SELINUXMNT,strerror(errno));
f31152bd JB	70	+ }
	71	+ return ret;
	72	+ }
437bcd41	73	+
ad6b8e9b	74	+ set_selinuxmnt(SELINUXMNT); /* set manually since we mounted it */
437bcd41	75	+
f31152bd JB	76	+ policy_version=security_policyvers();
f31152bd JB	77	+ if (policy_version < 0) {
68a85958	78	+ log(L_VB, "Can't get policy version: %s\n", strerror(errno));
f31152bd JB	79	+ goto UMOUNT;
f31152bd JB	80	+ }
437bcd41	81	+
ad6b8e9b	82	+ orig_enforce = rc = security_getenforce();
f31152bd	83	+ if (rc < 0) {
68a85958	84	+ log(L_VB, "Can't get SELinux enforcement flag: %s\n", strerror(errno));
f31152bd JB	85	+ goto UMOUNT;
	86	+ }
	87	+ if (enforcing >= 0) {
	88	+ *enforce = enforcing;
	89	+ } else if (seconfig == -1) {
	90	+ *enforce = 0;
	91	+ rc = security_disable();
	92	+ if (rc == 0) umount(SELINUXMNT);
	93	+ if (rc < 0) {
	94	+ rc = security_setenforce(0);
	95	+ if (rc < 0) {
68a85958	96	+ log(L_VB, "Can't disable SELinux: %s\n", strerror(errno));
f31152bd JB	97	+ goto UMOUNT;
	98	+ }
	99	+ }
	100	+ ret = 0;
	101	+ goto UMOUNT;
	102	+ } else if (seconfig >= 0) {
	103	+ *enforce = seconfig;
ad6b8e9b JB	104	+ if (orig_enforce != *enforce) {
	105	+ rc = security_setenforce(seconfig);
	106	+ if (rc < 0) {
68a85958	107	+ log(L_VB, "Can't set SELinux enforcement flag: %s\n", strerror(errno));
ad6b8e9b JB	108	+ goto UMOUNT;
ad6b8e9b JB	109	+ }
f31152bd JB	110	+ }
f31152bd JB	111	+ }
437bcd41	112	+
f31152bd JB	113	+ snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version);
	114	+ fd = open(policy_file, O_RDONLY);
	115	+ if (fd < 0) {
	116	+ /* Check previous version to see if old policy is available
	117	+ */
	118	+ snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version-1);
	119	+ fd = open(policy_file, O_RDONLY);
	120	+ if (fd < 0) {
68a85958	121	+ log(L_VB, "Can't open '%s.%d': %s\n",
f31152bd JB	122	+ selinux_binary_policy_path(),policy_version,strerror(errno));
	123	+ goto UMOUNT;
	124	+ }
	125	+ }
437bcd41	126	+
f31152bd	127	+ if (fstat(fd, &sb) < 0) {
68a85958	128	+ log(L_VB, "Can't stat '%s': %s\n",
f31152bd JB	129	+ policy_file, strerror(errno));
	130	+ goto UMOUNT;
	131	+ }
437bcd41	132	+
ad6b8e9b	133	+ map = mmap(NULL, sb.st_size, PROT_READ \| PROT_WRITE, MAP_PRIVATE, fd, 0);
f31152bd	134	+ if (map == MAP_FAILED) {
68a85958	135	+ log(L_VB, "Can't map '%s': %s\n",
f31152bd JB	136	+ policy_file, strerror(errno));
	137	+ goto UMOUNT;
	138	+ }
ad6b8e9b JB	139	+
	140	+
	141	+ /* Set booleans based on a booleans configuration file. */
	142	+ ret = sepol_genbools(map, sb.st_size, selinux_booleans_path());
	143	+ if (ret < 0) {
	144	+ if (errno == ENOENT \|\| errno == EINVAL) {
	145	+ /* No booleans file or stale booleans in the file; non-fatal. */
68a85958	146	+ log(L_VB,"Warning! Error while setting booleans: %s\n"
ad6b8e9b JB	147	+ , strerror(errno));
ad6b8e9b JB	148	+ } else {
68a85958	149	+ log(L_VB,"Error while setting booleans: %s\n",
ad6b8e9b JB	150	+ strerror(errno));
	151	+ goto UMOUNT;
	152	+ }
	153	+ }
68a85958	154	+ log(L_VB, "Loading security policy\n");
f31152bd JB	155	+ ret=security_load_policy(map, sb.st_size);
f31152bd JB	156	+ if (ret < 0) {
68a85958	157	+ log(L_VB, "security_load_policy failed\n");
f31152bd	158	+ }
437bcd41	159	+
f31152bd JB	160	+UMOUNT:
	161	+ /umount(SELINUXMNT); /
	162	+ if ( fd >= 0) {
	163	+ close(fd);
	164	+ }
	165	+ return(ret);
437bcd41	166	+}
f31152bd JB	167	+
	168	/*
	169	* Sleep a number of seconds.
	170	*
68a85958	171	@@ -2599,6 +2745,7 @@
f31152bd JB	172	char *p;
	173	int f;
	174	int isinit;
	175	+ int enforce = 0;
437bcd41	176
f31152bd JB	177	/* Get my own name */
f31152bd JB	178	if ((p = strrchr(argv[0], '/')) != NULL)
68a85958	179	@@ -2662,6 +2809,20 @@
437bcd41 AM	180	maxproclen += strlen(argv[f]) + 1;
	181	}
	182
437bcd41	183	+ if (getenv("SELINUX_INIT") == NULL) {
7bf76497	184	+ putenv("SELINUX_INIT=YES");
437bcd41 AM	185	+ if (load_policy(&enforce) == 0 ) {
	186	+ execv(myname, argv);
	187	+ } else {
f31152bd	188	+ if (enforce > 0) {
437bcd41	189	+ /* SELinux in enforcing mode but load_policy failed */
68a85958	190	+ /* At this point, we probably can't open /dev/console, so log() won't work */
ad6b8e9b	191	+ fprintf(stderr,"Enforcing mode requested but no policy loaded. Halting now.\n");
437bcd41	192	+ exit(1);
f31152bd	193	+ }
437bcd41 AM	194	+ }
437bcd41 AM	195	+ }
437bcd41 AM	196	+
	197	/* Start booting. */
	198	argv0 = argv[0];
	199	argv[1] = NULL;
68a85958 AM	200	diff -urN sysvinit-2.86.org/src/killall5.c sysvinit-2.86/src/killall5.c
	201	--- sysvinit-2.86.org/src/killall5.c 2005-08-16 18:45:33.280044000 +0200
	202	+++ sysvinit-2.86/src/killall5.c 2005-08-16 18:49:39.851559928 +0200
ad6b8e9b	203	@@ -166,8 +166,11 @@
437bcd41 AM	204
	205	/*
	206	* Read the proc filesystem.
	207	+ * since pidOf does not use process sid added a needSid flag to eliminate
	208	+ * the need of this privs for SELinux
	209	+ *
	210	*/
	211	-int readproc()
	212	+int readproc(int needSid)
	213	{
ad6b8e9b JB	214	DIR *dir;
ad6b8e9b JB	215	FILE *fp;
68a85958	216	@@ -252,13 +255,17 @@
ad6b8e9b JB	217	p->kernel = 1;
	218	}
	219	fclose(fp);
68a85958 AM	220	- p->sid = getsid(pid);
68a85958 AM	221	- if (p->sid < 0) {
ad6b8e9b	222	+ if (needSid) {
68a85958 AM	223	+ p->sid = getsid(pid);
68a85958 AM	224	+ if (p->sid < 0) {
ad6b8e9b	225	p->sid = 0;
68a85958 AM	226	nsyslog(LOG_ERR, "can't read sid for pid %d\n", pid);
68a85958 AM	227	free(p->statname);
ad6b8e9b JB	228	free(p);
ad6b8e9b JB	229	continue;
68a85958	230	+ }
ad6b8e9b	231	+ } else {
68a85958 AM	232	+ p->sid = 0;
68a85958 AM	233	}
ad6b8e9b JB	234	} else {
ad6b8e9b JB	235	/* Process disappeared.. */
ad6b8e9b	236	@@ -531,7 +538,7 @@
437bcd41 AM	237	argv += optind;
	238
	239	/* Print out process-ID's one by one. */
	240	- readproc();
	241	+ readproc(0);
	242	for(f = 0; f < argc; f++) {
	243	if ((q = pidof(argv[f])) != NULL) {
	244	spid = 0;
ad6b8e9b JB	245	@@ -612,7 +619,7 @@
ad6b8e9b JB	246	sent_sigstop = 1;
437bcd41	247
ad6b8e9b	248	/* Read /proc filesystem */
437bcd41 AM	249	- if (readproc() < 0) {
	250	+ if (readproc(1) < 0) {
	251	kill(-1, SIGCONT);
	252	exit(1);
	253	}
68a85958 AM	254	diff -urN sysvinit-2.86.org/src/Makefile sysvinit-2.86/src/Makefile
	255	--- sysvinit-2.86.org/src/Makefile 2005-08-16 18:45:33.271045000 +0200
	256	+++ sysvinit-2.86/src/Makefile 2005-08-16 18:50:59.463457080 +0200
ad6b8e9b JB	257	@@ -58,7 +58,7 @@
ad6b8e9b JB	258	all: $(BIN) $(SBIN) $(USRBIN)
59fa00c5 JB	259
	260	init: init.o init_utmp.o
	261	- $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o
ad6b8e9b	262	+ $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o -lsepol -lselinux
59fa00c5 JB	263
	264	halt: halt.o ifdown.o hddown.o utmp.o reboot.h
	265	$(CC) $(LDFLAGS) -o $@ halt.o ifdown.o hddown.o utmp.o
ad6b8e9b	266	@@ -79,7 +79,7 @@
f31152bd JB	267	$(CC) $(LDFLAGS) -o $@ runlevel.o
	268
	269	sulogin: sulogin.o md5_broken.o md5_crypt_broken.o arc4random.o bcrypt.o blowfish.o
	270	- $(CC) $(LDFLAGS) $(STATIC) -o $@ $^ $(LCRYPT)
ad6b8e9b	271	+ $(CC) $(LDFLAGS) $(STATIC) -DWITH_SELINUX -o $@ $^ $(LCRYPT) -lselinux
f31152bd JB	272
	273	wall: dowall.o wall.o
	274	$(CC) $(LDFLAGS) -o $@ dowall.o wall.o
ad6b8e9b	275	@@ -90,8 +90,11 @@
f31152bd	276	bootlogd: bootlogd.o
ad6b8e9b	277	$(CC) $(LDFLAGS) -o $@ bootlogd.o -lutil
59fa00c5	278
68a85958	279	+sulogin.o: sulogin.c
f31152bd	280	+ $(CC) -c $(CFLAGS) -DWITH_SELINUX sulogin.c
68a85958	281	+
ad6b8e9b	282	init.o: init.c init.h set.h reboot.h initreq.h
59fa00c5 JB	283	- $(CC) -c $(CFLAGS) init.c
	284	+ $(CC) -c $(CFLAGS) -DWITH_SELINUX init.c
	285
	286	utmp.o: utmp.c init.h
	287	$(CC) -c $(CFLAGS) utmp.c
68a85958 AM	288	diff -urN sysvinit-2.86.org/src/sulogin.c sysvinit-2.86/src/sulogin.c
	289	--- sysvinit-2.86.org/src/sulogin.c 2005-08-16 18:45:33.274045000 +0200
	290	+++ sysvinit-2.86/src/sulogin.c 2005-08-16 18:47:36.793267632 +0200
	291	@@ -29,7 +29,10 @@
	292	#endif
	293	#include "md5.h"
	294	#include "blowfish.h"
	295	-
	296	+#ifdef WITH_SELINUX
	297	+#include <selinux/selinux.h>
	298	+#include <selinux/get_context_list.h>
	299	+#endif
	300	#define CHECK_DES 1
	301	#define CHECK_MD5 1
	302	#define CHECK_BLOWFISH 1
	303	@@ -362,6 +365,16 @@
	304	signal(SIGINT, SIG_DFL);
	305	signal(SIGTSTP, SIG_DFL);
	306	signal(SIGQUIT, SIG_DFL);
	307	+#ifdef WITH_SELINUX
	308	+ if (is_selinux_enabled > 0) {
	309	+ security_context_t* contextlist=NULL;
	310	+ if (get_ordered_context_list("root", 0, &contextlist) > 0) {
	311	+ if (setexeccon(contextlist[0]) != 0)
	312	+ fprintf(stderr, "setexeccon faile\n");
	313	+ freeconary(contextlist);
	314	+ }
	315	+ }
	316	+#endif
	317	execl(sushell, shell, NULL);
	318	perror(sushell);
	319
	320