[Pkg-sysvinit-commits] r1427 - in sysvinit-upstream/trunk: doc src
Petter Reinholdtsen
pere at alioth.debian.org
Fri Jul 10 21:47:28 UTC 2009
Author: pere
Date: 2009-07-10 21:47:28 +0000 (Fri, 10 Jul 2009)
New Revision: 1427
Modified:
sysvinit-upstream/trunk/doc/Changelog
sysvinit-upstream/trunk/src/Makefile
sysvinit-upstream/trunk/src/init.c
sysvinit-upstream/trunk/src/sulogin.c
Log:
Add support for SE Linux capability handling. Patch from Manoj
Srivastava, adjusted to avoid aborting if SE policy was loaded in
the initrd with patch from Bill Nottingham and Fedora.
Modified: sysvinit-upstream/trunk/doc/Changelog
===================================================================
--- sysvinit-upstream/trunk/doc/Changelog 2009-07-10 21:44:44 UTC (rev 1426)
+++ sysvinit-upstream/trunk/doc/Changelog 2009-07-10 21:47:28 UTC (rev 1427)
@@ -33,6 +33,9 @@
* Change install rules to make pidof an absolute symlink. Patch from
Thomas Hood.
* Improve error message from init if fork() fail. Patch found in Suse.
+ * Add support for SE Linux capability handling. Patch from Manoj
+ Srivastava, adjusted to avoid aborting if SE policy was loaded in
+ the initrd with patch from Bill Nottingham and Fedora.
-- Petter Reinholdtsen <pere at debian.org> Fri, 30 Jul 2004 14:14:58 +0200
Modified: sysvinit-upstream/trunk/src/Makefile
===================================================================
--- sysvinit-upstream/trunk/src/Makefile 2009-07-10 21:44:44 UTC (rev 1426)
+++ sysvinit-upstream/trunk/src/Makefile 2009-07-10 21:47:28 UTC (rev 1427)
@@ -51,6 +51,18 @@
INSTALL_DATA = install -o $(BIN_OWNER) -g $(BIN_GROUP) -m 644
MANDIR = /usr/share/man
+ifeq ($(WITH_SELINUX),yes)
+ SELINUX_DEF=-DWITH_SELINUX
+ INIT_SELIBS=-lsepol -lselinux
+ SULOGIN_SELIBS=-lselinux
+else
+ SELINUX_DEF=
+ INIT_SELIBS=
+ SULOGIN_SELIBS=
+endif
+
+
+
# Additional libs for GNU libc.
ifneq ($(wildcard /usr/lib/libcrypt.a),)
LCRYPT = -lcrypt
@@ -59,7 +71,7 @@
all: $(BIN) $(SBIN) $(USRBIN)
init: init.o init_utmp.o
- $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o
+ $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o $(INIT_SELIBS)
halt: halt.o ifdown.o hddown.o utmp.o reboot.h
$(CC) $(LDFLAGS) -o $@ halt.o ifdown.o hddown.o utmp.o
@@ -80,7 +92,7 @@
$(CC) $(LDFLAGS) -o $@ runlevel.o
sulogin: sulogin.o
- $(CC) $(LDFLAGS) $(STATIC) -o $@ sulogin.o $(LCRYPT)
+ $(CC) $(LDFLAGS) $(STATIC) $(SELINUX_DEF) -o $@ $^ $(LCRYPT) $(SULOGIN_SELIBS)
wall: dowall.o wall.o
$(CC) $(LDFLAGS) -o $@ dowall.o wall.o
@@ -91,8 +103,11 @@
bootlogd: bootlogd.o
$(CC) $(LDFLAGS) -o $@ bootlogd.o -lutil
+sulogin.o: sulogin.c
+ $(CC) -c $(CFLAGS) $(SELINUX_DEF) sulogin.c
+
init.o: init.c init.h set.h reboot.h initreq.h
- $(CC) -c $(CFLAGS) init.c
+ $(CC) -c $(CFLAGS) $(SELINUX_DEF) init.c
utmp.o: utmp.c init.h
$(CC) -c $(CFLAGS) utmp.c
Modified: sysvinit-upstream/trunk/src/init.c
===================================================================
--- sysvinit-upstream/trunk/src/init.c 2009-07-10 21:44:44 UTC (rev 1426)
+++ sysvinit-upstream/trunk/src/init.c 2009-07-10 21:47:28 UTC (rev 1427)
@@ -43,6 +43,11 @@
#include <sys/syslog.h>
#include <sys/time.h>
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#endif
+
+
#ifdef __i386__
# if (__GLIBC__ >= 2)
/* GNU libc 2.x */
@@ -2602,6 +2607,7 @@
char *p;
int f;
int isinit;
+ int enforce = 0;
/* Get my own name */
if ((p = strrchr(argv[0], '/')) != NULL)
@@ -2665,6 +2671,21 @@
maxproclen += strlen(argv[f]) + 1;
}
+#ifdef WITH_SELINUX
+ if (getenv("SELINUX_INIT") == NULL && !is_selinux_enabled()) {
+ putenv("SELINUX_INIT=YES");
+ if (selinux_init_load_policy(&enforce) == 0 ) {
+ execv(myname, argv);
+ } else {
+ if (enforce > 0) {
+ /* SELinux in enforcing mode but load_policy failed */
+ /* At this point, we probably can't open /dev/console, so log() won't work */
+ fprintf(stderr,"Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.\n");
+ exit(1);
+ }
+ }
+ }
+#endif
/* Start booting. */
argv0 = argv[0];
argv[1] = NULL;
Modified: sysvinit-upstream/trunk/src/sulogin.c
===================================================================
--- sysvinit-upstream/trunk/src/sulogin.c 2009-07-10 21:44:44 UTC (rev 1426)
+++ sysvinit-upstream/trunk/src/sulogin.c 2009-07-10 21:47:28 UTC (rev 1427)
@@ -28,6 +28,11 @@
# include <crypt.h>
#endif
+#ifdef WITH_SELINUX
+# include <selinux/selinux.h>
+# include <selinux/get_context_list.h>
+#endif
+
#define CHECK_DES 1
#define CHECK_MD5 1
@@ -335,6 +340,21 @@
signal(SIGINT, SIG_DFL);
signal(SIGTSTP, SIG_DFL);
signal(SIGQUIT, SIG_DFL);
+#ifdef WITH_SELINUX
+ if (is_selinux_enabled > 0) {
+ security_context_t scon=NULL;
+ char *seuser=NULL;
+ char *level=NULL;
+ if (getseuserbyname("root", &seuser, &level) == 0)
+ if (get_default_context_with_level(seuser, level, 0, &scon) > 0) {
+ if (setexeccon(scon) != 0)
+ fprintf(stderr, "setexeccon faile\n");
+ freecon(scon);
+ }
+ free(seuser);
+ free(level);
+ }
+#endif
execl(sushell, shell, NULL);
perror(sushell);
More information about the Pkg-sysvinit-commits
mailing list