summaryrefslogtreecommitdiff
blob: 3110bc52befb74e803ea2d1ce15283dc1f077688 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
diff -urN sysvinit-2.86.orig/src/Makefile sysvinit-2.86/src/Makefile
--- sysvinit-2.86.orig/src/Makefile	2004-06-09 08:47:45.000000000 -0400
+++ sysvinit-2.86/src/Makefile	2005-01-03 20:25:59.922659928 -0500
@@ -12,6 +12,8 @@
 CFLAGS	= -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE
 LDFLAGS	= -s
 STATIC	=
+CFLAGS	+= -DWITH_SELINUX
+LDFLAGS	+= -lselinux -lsepol
 
 # For some known distributions we do not build all programs, otherwise we do.
 BIN	=
diff -urN sysvinit-2.86.orig/src/init.c sysvinit-2.86/src/init.c
--- sysvinit-2.86.orig/src/init.c	2004-07-30 08:16:20.000000000 -0400
+++ sysvinit-2.86/src/init.c	2005-01-03 20:46:39.485217776 -0500
@@ -42,6 +42,11 @@
 #include <stdarg.h>
 #include <sys/syslog.h>
 #include <sys/time.h>
+#include <sys/mman.h>
+#include <selinux/selinux.h>
+#include <sepol/sepol.h>
+#include <sys/mount.h>
+
 
 #ifdef __i386__
 #  if (__GLIBC__ >= 2)
@@ -104,6 +109,7 @@
 int dfl_level = 0;		/* Default runlevel */
 sig_atomic_t got_cont = 0;	/* Set if we received the SIGCONT signal */
 sig_atomic_t got_signals;	/* Set if we received a signal. */
+int enforcing = -1;		/* SELinux enforcing mode */
 int emerg_shell = 0;		/* Start emergency shell? */
 int wrote_wtmp_reboot = 1;	/* Set when we wrote the reboot record */
 int wrote_utmp_reboot = 1;	/* Set when we wrote the reboot record */
@@ -192,6 +198,142 @@
 char *extra_env[NR_EXTRA_ENV];
 
 
+/* Mount point for selinuxfs. */
+#define SELINUXMNT "/selinux/"
+
+static int load_policy(int *enforce) 
+{
+	int fd=-1,ret=-1;
+	int rc=0, orig_enforce;
+	struct stat sb;
+	void *map;
+	char policy_file[PATH_MAX];
+	int policy_version=0;
+	FILE *cfg;
+	char buf[4096];
+	int seconfig = -2;
+	
+	selinux_getenforcemode(&seconfig);
+
+	mount("none", "/proc", "proc", 0, 0);
+	cfg = fopen("/proc/cmdline","r");
+	if (cfg) {
+		char *tmp;
+		if (fgets(buf,4096,cfg) && (tmp = strstr(buf,"enforcing="))) {
+			if (tmp == buf || isspace(*(tmp-1))) {
+				enforcing=atoi(tmp+10);
+			}
+		}
+		fclose(cfg);
+	}
+#define MNT_DETACH 2
+	umount2("/proc",MNT_DETACH);
+	
+	if (enforcing >=0)
+		*enforce = enforcing;
+	else if (seconfig == 1)
+		*enforce = 1;
+	
+	if (mount("none", SELINUXMNT, "selinuxfs", 0, 0) < 0) {
+		if (errno == ENODEV) {
+			initlog(L_VB, "SELinux not supported by kernel: %s\n",SELINUXMNT,strerror(errno));
+			*enforce = 0;
+		} else {
+			initlog(L_VB, "Failed to mount %s: %s\n",SELINUXMNT,strerror(errno));
+		}
+		return ret;
+	}
+
+	set_selinuxmnt(SELINUXMNT); /* set manually since we mounted it */
+
+	policy_version=security_policyvers();
+	if (policy_version < 0) {
+		initlog(L_VB,  "Can't get policy version: %s\n", strerror(errno));
+		goto UMOUNT;
+	}
+  
+	orig_enforce = rc = security_getenforce();
+	if (rc < 0) {
+		initlog(L_VB,  "Can't get SELinux enforcement flag: %s\n", strerror(errno));
+		goto UMOUNT;
+	}
+	if (enforcing >= 0) {
+		*enforce = enforcing;
+	} else if (seconfig == -1) {
+		*enforce = 0;
+		rc = security_disable();
+		if (rc == 0) umount(SELINUXMNT);
+		if (rc < 0) {
+			rc = security_setenforce(0);
+			if (rc < 0) {
+				initlog(L_VB, "Can't disable SELinux: %s\n", strerror(errno));
+				goto UMOUNT;
+			}
+		}
+		ret = 0;
+		goto UMOUNT;
+	} else if (seconfig >= 0) {
+		*enforce = seconfig;
+		if (orig_enforce != *enforce) {
+			rc = security_setenforce(seconfig);
+			if (rc < 0) {
+				initlog(L_VB, "Can't set SELinux enforcement flag: %s\n", strerror(errno));
+				goto UMOUNT;
+			}
+		}
+	}
+
+	snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version);
+	fd = open(policy_file, O_RDONLY);
+	if (fd < 0) {
+		/* Check previous version to see if old policy is available
+		 */
+		snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version-1);
+		fd = open(policy_file, O_RDONLY);
+		if (fd < 0) {
+			initlog(L_VB,  "Can't open '%s.%d':  %s\n",
+			    selinux_binary_policy_path(),policy_version,strerror(errno));
+			goto UMOUNT;
+		}
+	}
+  
+	if (fstat(fd, &sb) < 0) {
+		initlog(L_VB, "Can't stat '%s':  %s\n",
+		    policy_file, strerror(errno));
+		goto UMOUNT;
+	}
+  
+	map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
+	if (map == MAP_FAILED) {
+		initlog(L_VB,  "Can't map '%s':  %s\n",
+		    policy_file, strerror(errno));
+		goto UMOUNT;
+	}
+
+
+	/* Set booleans based on a booleans configuration file. */
+	ret = sepol_genbools(map, sb.st_size, selinux_booleans_path());
+	if (ret < 0) {
+		if (errno != ENOENT && errno != EINVAL) {
+			initlog(L_VB,"Error while setting booleans:  %s\n", 
+			    strerror(errno));
+			goto UMOUNT;
+		}
+	}
+	initlog(L_VB, "Loading security policy\n");
+	ret=security_load_policy(map, sb.st_size);
+	if (ret < 0) {
+		initlog(L_VB, "security_load_policy failed\n");
+	}
+
+UMOUNT:
+	/*umount(SELINUXMNT); */
+	if ( fd >= 0) {
+		close(fd);
+	}
+	return(ret);
+}
+
 /*
  *	Sleep a number of seconds.
  *
@@ -2599,6 +2741,7 @@
 	char			*p;
 	int			f;
 	int			isinit;
+	int			enforce = 0;
 
 	/* Get my own name */
 	if ((p = strrchr(argv[0], '/')) != NULL)
@@ -2662,6 +2805,20 @@
 		maxproclen += strlen(argv[f]) + 1;
 	}
 
+  	if (getenv("SELINUX_INIT") == NULL) {
+	  putenv("SELINUX_INIT=YES");
+	  if (load_policy(&enforce) == 0 ) {
+	    execv(myname, argv);
+	  } else {
+	    if (enforce > 0) {
+	      /* SELinux in enforcing mode but load_policy failed */
+	      /* At this point, we probably can't open /dev/console, so log() won't work */
+		    fprintf(stderr,"Enforcing mode requested but no policy loaded. Halting now.\n");
+	      exit(1);
+	    }
+	  }
+	}
+  
 	/* Start booting. */
 	argv0 = argv[0];
 	argv[1] = NULL;
diff -urN sysvinit-2.86.orig/src/sulogin.c sysvinit-2.86/src/sulogin.c
--- sysvinit-2.86.orig/src/sulogin.c	2004-07-30 07:40:28.000000000 -0400
+++ sysvinit-2.86/src/sulogin.c	2005-01-03 20:30:48.746751992 -0500
@@ -27,7 +27,10 @@
 #if defined(__GLIBC__)
 #  include <crypt.h>
 #endif
-
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/get_context_list.h>
+#endif
 #define CHECK_DES	1
 #define CHECK_MD5	1
 
@@ -335,6 +338,16 @@
 	signal(SIGINT, SIG_DFL);
 	signal(SIGTSTP, SIG_DFL);
 	signal(SIGQUIT, SIG_DFL);
+#ifdef WITH_SELINUX
+	if (is_selinux_enabled > 0) {
+	  security_context_t* contextlist=NULL;
+	  if (get_ordered_context_list("root", 0, &contextlist) > 0) {
+	    if (setexeccon(contextlist[0]) != 0) 
+	      fprintf(stderr, "setexeccon faile\n");
+	    freeconary(contextlist);
+	  }
+	}
+#endif
 	execl(sushell, shell, NULL);
 	perror(sushell);