]>
Commit | Line | Data |
---|---|---|
68a85958 AM |
1 | diff -urN sysvinit-2.86.org/src/init.c sysvinit-2.86/src/init.c |
2 | --- sysvinit-2.86.org/src/init.c 2004-07-30 14:16:20.000000000 +0200 | |
3 | +++ sysvinit-2.86/src/init.c 2005-08-16 18:46:21.493714904 +0200 | |
4 | @@ -42,6 +42,11 @@ | |
f31152bd JB |
5 | #include <stdarg.h> |
6 | #include <sys/syslog.h> | |
7 | #include <sys/time.h> | |
437bcd41 AM |
8 | +#include <sys/mman.h> |
9 | +#include <selinux/selinux.h> | |
ad6b8e9b | 10 | +#include <sepol/sepol.h> |
437bcd41 | 11 | +#include <sys/mount.h> |
f31152bd JB |
12 | + |
13 | ||
14 | #ifdef __i386__ | |
15 | # if (__GLIBC__ >= 2) | |
68a85958 | 16 | @@ -104,6 +109,7 @@ |
f31152bd JB |
17 | int dfl_level = 0; /* Default runlevel */ |
18 | sig_atomic_t got_cont = 0; /* Set if we received the SIGCONT signal */ | |
19 | sig_atomic_t got_signals; /* Set if we received a signal. */ | |
20 | +int enforcing = -1; /* SELinux enforcing mode */ | |
21 | int emerg_shell = 0; /* Start emergency shell? */ | |
22 | int wrote_wtmp_reboot = 1; /* Set when we wrote the reboot record */ | |
23 | int wrote_utmp_reboot = 1; /* Set when we wrote the reboot record */ | |
68a85958 AM |
24 | @@ -192,6 +198,146 @@ |
25 | char *extra_env[NR_EXTRA_ENV]; | |
26 | ||
f31152bd JB |
27 | |
28 | +/* Mount point for selinuxfs. */ | |
29 | +#define SELINUXMNT "/selinux/" | |
437bcd41 AM |
30 | + |
31 | +static int load_policy(int *enforce) | |
32 | +{ | |
f31152bd | 33 | + int fd=-1,ret=-1; |
ad6b8e9b | 34 | + int rc=0, orig_enforce; |
f31152bd JB |
35 | + struct stat sb; |
36 | + void *map; | |
37 | + char policy_file[PATH_MAX]; | |
38 | + int policy_version=0; | |
f31152bd JB |
39 | + FILE *cfg; |
40 | + char buf[4096]; | |
41 | + int seconfig = -2; | |
42 | + | |
43 | + selinux_getenforcemode(&seconfig); | |
437bcd41 | 44 | + |
f31152bd JB |
45 | + mount("none", "/proc", "proc", 0, 0); |
46 | + cfg = fopen("/proc/cmdline","r"); | |
47 | + if (cfg) { | |
48 | + char *tmp; | |
49 | + if (fgets(buf,4096,cfg) && (tmp = strstr(buf,"enforcing="))) { | |
50 | + if (tmp == buf || isspace(*(tmp-1))) { | |
51 | + enforcing=atoi(tmp+10); | |
52 | + } | |
53 | + } | |
54 | + fclose(cfg); | |
55 | + } | |
56 | +#define MNT_DETACH 2 | |
57 | + umount2("/proc",MNT_DETACH); | |
58 | + | |
59 | + if (enforcing >=0) | |
60 | + *enforce = enforcing; | |
61 | + else if (seconfig == 1) | |
62 | + *enforce = 1; | |
63 | + | |
64 | + if (mount("none", SELINUXMNT, "selinuxfs", 0, 0) < 0) { | |
65 | + if (errno == ENODEV) { | |
68a85958 | 66 | + log(L_VB, "SELinux not supported by kernel: %s\n",SELINUXMNT,strerror(errno)); |
f31152bd JB |
67 | + *enforce = 0; |
68 | + } else { | |
68a85958 | 69 | + log(L_VB, "Failed to mount %s: %s\n",SELINUXMNT,strerror(errno)); |
f31152bd JB |
70 | + } |
71 | + return ret; | |
72 | + } | |
437bcd41 | 73 | + |
ad6b8e9b | 74 | + set_selinuxmnt(SELINUXMNT); /* set manually since we mounted it */ |
437bcd41 | 75 | + |
f31152bd JB |
76 | + policy_version=security_policyvers(); |
77 | + if (policy_version < 0) { | |
68a85958 | 78 | + log(L_VB, "Can't get policy version: %s\n", strerror(errno)); |
f31152bd JB |
79 | + goto UMOUNT; |
80 | + } | |
437bcd41 | 81 | + |
ad6b8e9b | 82 | + orig_enforce = rc = security_getenforce(); |
f31152bd | 83 | + if (rc < 0) { |
68a85958 | 84 | + log(L_VB, "Can't get SELinux enforcement flag: %s\n", strerror(errno)); |
f31152bd JB |
85 | + goto UMOUNT; |
86 | + } | |
87 | + if (enforcing >= 0) { | |
88 | + *enforce = enforcing; | |
89 | + } else if (seconfig == -1) { | |
90 | + *enforce = 0; | |
91 | + rc = security_disable(); | |
92 | + if (rc == 0) umount(SELINUXMNT); | |
93 | + if (rc < 0) { | |
94 | + rc = security_setenforce(0); | |
95 | + if (rc < 0) { | |
68a85958 | 96 | + log(L_VB, "Can't disable SELinux: %s\n", strerror(errno)); |
f31152bd JB |
97 | + goto UMOUNT; |
98 | + } | |
99 | + } | |
100 | + ret = 0; | |
101 | + goto UMOUNT; | |
102 | + } else if (seconfig >= 0) { | |
103 | + *enforce = seconfig; | |
ad6b8e9b JB |
104 | + if (orig_enforce != *enforce) { |
105 | + rc = security_setenforce(seconfig); | |
106 | + if (rc < 0) { | |
68a85958 | 107 | + log(L_VB, "Can't set SELinux enforcement flag: %s\n", strerror(errno)); |
ad6b8e9b JB |
108 | + goto UMOUNT; |
109 | + } | |
f31152bd JB |
110 | + } |
111 | + } | |
437bcd41 | 112 | + |
f31152bd JB |
113 | + snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version); |
114 | + fd = open(policy_file, O_RDONLY); | |
115 | + if (fd < 0) { | |
116 | + /* Check previous version to see if old policy is available | |
117 | + */ | |
118 | + snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version-1); | |
119 | + fd = open(policy_file, O_RDONLY); | |
120 | + if (fd < 0) { | |
68a85958 | 121 | + log(L_VB, "Can't open '%s.%d': %s\n", |
f31152bd JB |
122 | + selinux_binary_policy_path(),policy_version,strerror(errno)); |
123 | + goto UMOUNT; | |
124 | + } | |
125 | + } | |
437bcd41 | 126 | + |
f31152bd | 127 | + if (fstat(fd, &sb) < 0) { |
68a85958 | 128 | + log(L_VB, "Can't stat '%s': %s\n", |
f31152bd JB |
129 | + policy_file, strerror(errno)); |
130 | + goto UMOUNT; | |
131 | + } | |
437bcd41 | 132 | + |
ad6b8e9b | 133 | + map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); |
f31152bd | 134 | + if (map == MAP_FAILED) { |
68a85958 | 135 | + log(L_VB, "Can't map '%s': %s\n", |
f31152bd JB |
136 | + policy_file, strerror(errno)); |
137 | + goto UMOUNT; | |
138 | + } | |
ad6b8e9b JB |
139 | + |
140 | + | |
141 | + /* Set booleans based on a booleans configuration file. */ | |
142 | + ret = sepol_genbools(map, sb.st_size, selinux_booleans_path()); | |
143 | + if (ret < 0) { | |
144 | + if (errno == ENOENT || errno == EINVAL) { | |
145 | + /* No booleans file or stale booleans in the file; non-fatal. */ | |
68a85958 | 146 | + log(L_VB,"Warning! Error while setting booleans: %s\n" |
ad6b8e9b JB |
147 | + , strerror(errno)); |
148 | + } else { | |
68a85958 | 149 | + log(L_VB,"Error while setting booleans: %s\n", |
ad6b8e9b JB |
150 | + strerror(errno)); |
151 | + goto UMOUNT; | |
152 | + } | |
153 | + } | |
68a85958 | 154 | + log(L_VB, "Loading security policy\n"); |
f31152bd JB |
155 | + ret=security_load_policy(map, sb.st_size); |
156 | + if (ret < 0) { | |
68a85958 | 157 | + log(L_VB, "security_load_policy failed\n"); |
f31152bd | 158 | + } |
437bcd41 | 159 | + |
f31152bd JB |
160 | +UMOUNT: |
161 | + /*umount(SELINUXMNT); */ | |
162 | + if ( fd >= 0) { | |
163 | + close(fd); | |
164 | + } | |
165 | + return(ret); | |
437bcd41 | 166 | +} |
f31152bd JB |
167 | + |
168 | /* | |
169 | * Sleep a number of seconds. | |
170 | * | |
68a85958 | 171 | @@ -2599,6 +2745,7 @@ |
f31152bd JB |
172 | char *p; |
173 | int f; | |
174 | int isinit; | |
175 | + int enforce = 0; | |
437bcd41 | 176 | |
f31152bd JB |
177 | /* Get my own name */ |
178 | if ((p = strrchr(argv[0], '/')) != NULL) | |
68a85958 | 179 | @@ -2662,6 +2809,20 @@ |
437bcd41 AM |
180 | maxproclen += strlen(argv[f]) + 1; |
181 | } | |
182 | ||
437bcd41 | 183 | + if (getenv("SELINUX_INIT") == NULL) { |
7bf76497 | 184 | + putenv("SELINUX_INIT=YES"); |
437bcd41 AM |
185 | + if (load_policy(&enforce) == 0 ) { |
186 | + execv(myname, argv); | |
187 | + } else { | |
f31152bd | 188 | + if (enforce > 0) { |
437bcd41 | 189 | + /* SELinux in enforcing mode but load_policy failed */ |
68a85958 | 190 | + /* At this point, we probably can't open /dev/console, so log() won't work */ |
ad6b8e9b | 191 | + fprintf(stderr,"Enforcing mode requested but no policy loaded. Halting now.\n"); |
437bcd41 | 192 | + exit(1); |
f31152bd | 193 | + } |
437bcd41 AM |
194 | + } |
195 | + } | |
437bcd41 AM |
196 | + |
197 | /* Start booting. */ | |
198 | argv0 = argv[0]; | |
199 | argv[1] = NULL; | |
68a85958 AM |
200 | diff -urN sysvinit-2.86.org/src/killall5.c sysvinit-2.86/src/killall5.c |
201 | --- sysvinit-2.86.org/src/killall5.c 2005-08-16 18:45:33.280044000 +0200 | |
202 | +++ sysvinit-2.86/src/killall5.c 2005-08-16 18:49:39.851559928 +0200 | |
ad6b8e9b | 203 | @@ -166,8 +166,11 @@ |
437bcd41 AM |
204 | |
205 | /* | |
206 | * Read the proc filesystem. | |
207 | + * since pidOf does not use process sid added a needSid flag to eliminate | |
208 | + * the need of this privs for SELinux | |
209 | + * | |
210 | */ | |
211 | -int readproc() | |
212 | +int readproc(int needSid) | |
213 | { | |
ad6b8e9b JB |
214 | DIR *dir; |
215 | FILE *fp; | |
68a85958 | 216 | @@ -252,13 +255,17 @@ |
ad6b8e9b JB |
217 | p->kernel = 1; |
218 | } | |
219 | fclose(fp); | |
68a85958 AM |
220 | - p->sid = getsid(pid); |
221 | - if (p->sid < 0) { | |
ad6b8e9b | 222 | + if (needSid) { |
68a85958 AM |
223 | + p->sid = getsid(pid); |
224 | + if (p->sid < 0) { | |
ad6b8e9b | 225 | p->sid = 0; |
68a85958 AM |
226 | nsyslog(LOG_ERR, "can't read sid for pid %d\n", pid); |
227 | free(p->statname); | |
ad6b8e9b JB |
228 | free(p); |
229 | continue; | |
68a85958 | 230 | + } |
ad6b8e9b | 231 | + } else { |
68a85958 AM |
232 | + p->sid = 0; |
233 | } | |
ad6b8e9b JB |
234 | } else { |
235 | /* Process disappeared.. */ | |
ad6b8e9b | 236 | @@ -531,7 +538,7 @@ |
437bcd41 AM |
237 | argv += optind; |
238 | ||
239 | /* Print out process-ID's one by one. */ | |
240 | - readproc(); | |
241 | + readproc(0); | |
242 | for(f = 0; f < argc; f++) { | |
243 | if ((q = pidof(argv[f])) != NULL) { | |
244 | spid = 0; | |
ad6b8e9b JB |
245 | @@ -612,7 +619,7 @@ |
246 | sent_sigstop = 1; | |
437bcd41 | 247 | |
ad6b8e9b | 248 | /* Read /proc filesystem */ |
437bcd41 AM |
249 | - if (readproc() < 0) { |
250 | + if (readproc(1) < 0) { | |
251 | kill(-1, SIGCONT); | |
252 | exit(1); | |
253 | } | |
68a85958 AM |
254 | diff -urN sysvinit-2.86.org/src/Makefile sysvinit-2.86/src/Makefile |
255 | --- sysvinit-2.86.org/src/Makefile 2005-08-16 18:45:33.271045000 +0200 | |
256 | +++ sysvinit-2.86/src/Makefile 2005-08-16 18:50:59.463457080 +0200 | |
ad6b8e9b JB |
257 | @@ -58,7 +58,7 @@ |
258 | all: $(BIN) $(SBIN) $(USRBIN) | |
59fa00c5 JB |
259 | |
260 | init: init.o init_utmp.o | |
261 | - $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o | |
ad6b8e9b | 262 | + $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o -lsepol -lselinux |
59fa00c5 JB |
263 | |
264 | halt: halt.o ifdown.o hddown.o utmp.o reboot.h | |
265 | $(CC) $(LDFLAGS) -o $@ halt.o ifdown.o hddown.o utmp.o | |
ad6b8e9b | 266 | @@ -79,7 +79,7 @@ |
f31152bd JB |
267 | $(CC) $(LDFLAGS) -o $@ runlevel.o |
268 | ||
269 | sulogin: sulogin.o md5_broken.o md5_crypt_broken.o arc4random.o bcrypt.o blowfish.o | |
270 | - $(CC) $(LDFLAGS) $(STATIC) -o $@ $^ $(LCRYPT) | |
ad6b8e9b | 271 | + $(CC) $(LDFLAGS) $(STATIC) -DWITH_SELINUX -o $@ $^ $(LCRYPT) -lselinux |
f31152bd JB |
272 | |
273 | wall: dowall.o wall.o | |
274 | $(CC) $(LDFLAGS) -o $@ dowall.o wall.o | |
ad6b8e9b | 275 | @@ -90,8 +90,11 @@ |
f31152bd | 276 | bootlogd: bootlogd.o |
ad6b8e9b | 277 | $(CC) $(LDFLAGS) -o $@ bootlogd.o -lutil |
59fa00c5 | 278 | |
68a85958 | 279 | +sulogin.o: sulogin.c |
f31152bd | 280 | + $(CC) -c $(CFLAGS) -DWITH_SELINUX sulogin.c |
68a85958 | 281 | + |
ad6b8e9b | 282 | init.o: init.c init.h set.h reboot.h initreq.h |
59fa00c5 JB |
283 | - $(CC) -c $(CFLAGS) init.c |
284 | + $(CC) -c $(CFLAGS) -DWITH_SELINUX init.c | |
285 | ||
286 | utmp.o: utmp.c init.h | |
287 | $(CC) -c $(CFLAGS) utmp.c | |
68a85958 AM |
288 | diff -urN sysvinit-2.86.org/src/sulogin.c sysvinit-2.86/src/sulogin.c |
289 | --- sysvinit-2.86.org/src/sulogin.c 2005-08-16 18:45:33.274045000 +0200 | |
290 | +++ sysvinit-2.86/src/sulogin.c 2005-08-16 18:47:36.793267632 +0200 | |
291 | @@ -29,7 +29,10 @@ | |
292 | #endif | |
293 | #include "md5.h" | |
294 | #include "blowfish.h" | |
295 | - | |
296 | +#ifdef WITH_SELINUX | |
297 | +#include <selinux/selinux.h> | |
298 | +#include <selinux/get_context_list.h> | |
299 | +#endif | |
300 | #define CHECK_DES 1 | |
301 | #define CHECK_MD5 1 | |
302 | #define CHECK_BLOWFISH 1 | |
303 | @@ -362,6 +365,16 @@ | |
304 | signal(SIGINT, SIG_DFL); | |
305 | signal(SIGTSTP, SIG_DFL); | |
306 | signal(SIGQUIT, SIG_DFL); | |
307 | +#ifdef WITH_SELINUX | |
308 | + if (is_selinux_enabled > 0) { | |
309 | + security_context_t* contextlist=NULL; | |
310 | + if (get_ordered_context_list("root", 0, &contextlist) > 0) { | |
311 | + if (setexeccon(contextlist[0]) != 0) | |
312 | + fprintf(stderr, "setexeccon faile\n"); | |
313 | + freeconary(contextlist); | |
314 | + } | |
315 | + } | |
316 | +#endif | |
317 | execl(sushell, shell, NULL); | |
318 | perror(sushell); | |
319 | ||
320 |