-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 https://bugzilla.redhat.com/show_bug.cgi?id=434793 The way the upstart initrd works is to run nash with a builtin loadpolicy. The problem is nash starts before the /sysmount files system is mounted, so libselinux does not have an /etc/selinux/config to read. It defaults to targeted. So when nash finally executes loadpolicy (selinux_init_load_policy) it has the wrong config. Switching to any other type of policy will fail and selinux_init_load_policy will look for targeted. I changed this function to reload the config, to fix this problem. I think I did all the hidden stuff correctly. I don't think we want to expose these functions. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkfG8GYACgkQrlYvE4MpobNudgCg25fnGfQ6WNyzGiMckpfXy11O 0i8AnjskiEKZX/84EKnpjwujdPydUJEz =Ku86 -----END PGP SIGNATURE-----
diff --exclude-from=exclude -N -u -r nsalibselinux/src/load_policy.c libselinux-2.0.57/src/load_policy.c
--- nsalibselinux/src/load_policy.c 2008-02-13 11:16:14.000000000 -0500
+++ libselinux-2.0.57/src/load_policy.c 2008-02-28 11:11:20.000000000 -0500
@@ -308,6 +308,13 @@
FILE *cfg;
char *buf;
+
+ /*
+ Reinitialize the library, so chroot will work correctly.
+ */
+ fini_selinux_policyroot();
+ init_selinux_config();
+
/*
* Get desired mode (disabled, permissive, enforcing) from
* /etc/selinux/config.
diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux_config.c libselinux-2.0.57/src/selinux_config.c
--- nsalibselinux/src/selinux_config.c 2007-08-03 16:02:56.000000000 -0400
+++ libselinux-2.0.57/src/selinux_config.c 2008-02-28 11:10:01.000000000 -0500
@@ -127,9 +127,9 @@
static char *selinux_policyroot = NULL;
static char *selinux_rootpath = NULL;
-static void init_selinux_config(void) __attribute__ ((constructor));
+void init_selinux_config(void) __attribute__ ((constructor));
-static void init_selinux_config(void)
+void init_selinux_config(void)
{
int i, *intptr;
size_t line_len;
@@ -207,10 +207,11 @@
== -1)
return;
}
+hidden_def(init_selinux_config)
-static void fini_selinux_policyroot(void) __attribute__ ((destructor));
+void fini_selinux_policyroot(void) __attribute__ ((destructor));
-static void fini_selinux_policyroot(void)
+void fini_selinux_policyroot(void)
{
int i;
free(selinux_policyroot);
@@ -222,6 +223,7 @@
free(selinux_policytype);
selinux_policytype = NULL;
}
+hidden_def(fini_selinux_policyroot)
static const char *get_path(int idx)
{
diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux_internal.h libselinux-2.0.57/src/selinux_internal.h
--- nsalibselinux/src/selinux_internal.h 2007-08-03 16:02:56.000000000 -0400
+++ libselinux-2.0.57/src/selinux_internal.h 2008-02-28 11:11:04.000000000 -0500
@@ -80,6 +80,13 @@
hidden_proto(security_get_initial_context);
hidden_proto(security_get_initial_context_raw);
+extern void init_selinux_config(void) hidden;
+extern void fini_selinux_policyroot(void) hidden;
+
+hidden_proto(init_selinux_config);
+hidden_proto(fini_selinux_policyroot);
+
extern int load_setlocaldefs hidden;
extern int require_seusers hidden;
extern int selinux_page_size hidden;
+
Attachment:
diff.sig
Description: Binary data
