1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
--- sysvinit-2.85/src/init.c.selinux 2003-11-10 14:56:40.687719862 -0500
+++ sysvinit-2.85/src/init.c 2003-11-10 14:56:55.856964055 -0500
@@ -78,6 +78,78 @@
sigemptyset(&sa.sa_mask); \
sigaction(sig, &sa, NULL); \
} while(0)
+#ifdef WITH_SELINUX
+#include <sys/mman.h>
+#include <selinux/selinux.h>
+#include <sys/mount.h>
+
+static int load_policy(int *enforce)
+{
+ int fd=-1,ret=-1;
+ int rc=0;
+ struct stat sb;
+ void *map;
+ char policy_file[PATH_MAX];
+ int policy_version=0;
+
+ log(L_VB, "Loading security policy\n");
+ if (mount("none", SELINUXMNT, "selinuxfs", 0, 0) < 0) {
+ if (errno == ENODEV) {
+ log(L_VB, "SELinux not supported by kernel: %s\n",SELINUXMNT,strerror(errno));
+ }
+ else {
+ log(L_VB, "Failed to mount %s: %s\n",SELINUXMNT,strerror(errno));
+ return ret;
+ }
+ return ret; /* Never gets here */
+ }
+
+ policy_version=security_policyvers();
+ if (policy_version < 0) {
+ log(L_VB, "Can't get policy version: %s\n", strerror(errno));
+ goto UMOUNT;
+ }
+
+ rc=security_getenforce();
+ if (rc < 0) {
+ log(L_VB, "Can't get SELinux enforcement flag: %s\n", strerror(errno));
+ goto UMOUNT;
+ }
+ *enforce=rc;
+
+ snprintf(policy_file,sizeof(policy_file),"%s.%d",SELINUXPOLICY,policy_version);
+ fd = open(policy_file, O_RDONLY);
+ if (fd < 0) {
+ log(L_VB, "Can't open '%s': %s\n",
+ policy_file, strerror(errno));
+ goto UMOUNT;
+ }
+
+ if (fstat(fd, &sb) < 0) {
+ log(L_VB, "Can't stat '%s': %s\n",
+ policy_file, strerror(errno));
+ goto UMOUNT;
+ }
+
+ map = mmap(NULL, sb.st_size, PROT_READ, MAP_SHARED, fd, 0);
+ if (map == MAP_FAILED) {
+ log(L_VB, "Can't map '%s': %s\n",
+ policy_file, strerror(errno));
+ goto UMOUNT;
+ }
+ ret=security_load_policy(map, sb.st_size);
+ if (ret < 0) {
+ log(L_VB, "security_load_policy failed\n");
+ }
+
+ UMOUNT:
+ umount(SELINUXMNT);
+ if ( fd >= 0) {
+ close(fd);
+ }
+ return(ret);
+}
+#endif
/* Version information */
char *Version = "@(#) init " VERSION " " DATE " miquels@cistron.nl";
@@ -2576,6 +2648,20 @@
maxproclen += strlen(argv[f]) + 1;
}
+#ifdef WITH_SELINUX
+ if (getenv("SELINUX_INIT") == NULL) {
+ putenv("SELINUX_INIT=YES");
+ int enforce=0;
+ if (load_policy(&enforce) == 0 ) {
+ execv(myname, argv);
+ } else {
+ if (enforce)
+ /* SELinux in enforcing mode but load_policy failed */
+ exit(1);
+ }
+ }
+#endif
+
/* Start booting. */
argv0 = argv[0];
argv[1] = NULL;
--- sysvinit-2.85/src/Makefile.selinux 2003-11-10 14:56:40.430749605 -0500
+++ sysvinit-2.85/src/Makefile 2003-11-10 14:56:40.725715464 -0500
@@ -32,7 +32,7 @@
all: $(PROGS)
init: init.o init_utmp.o
- $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o
+ $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o -lselinux
halt: halt.o ifdown.o hddown.o utmp.o reboot.h
$(CC) $(LDFLAGS) -o $@ halt.o ifdown.o hddown.o utmp.o
@@ -62,7 +62,7 @@
$(CC) $(LDFLAGS) -o $@ bootlogd.o
init.o: init.c init.h set.h reboot.h
- $(CC) -c $(CFLAGS) init.c
+ $(CC) -c $(CFLAGS) -DWITH_SELINUX init.c
utmp.o: utmp.c init.h
$(CC) -c $(CFLAGS) utmp.c
|
GitWeb