On 08/13/2009 02:06 PM, Justin P. Mattock wrote:
> Daniel J Walsh wrote:
>>
>> Does
>>
>> selinux_mkload_policy(1);
>>
>> Work for you?
>>
>>
> I clipped part of the message to keep
> things clean.
>
> I'm going to be honest, I'm not that yet skilled
> in fixing something like this.
>
> with selinux_mkload_policy(1)
> were would I put this?
>
> Justin P. Mattock
>
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx
> with
> the words "unsubscribe selinux" without quotes as the message.
Actually the function you probably want
selinux_init_load_policy
I attached the patch we used to use for sysvinit, before we moved to loading policy in the initrd.
--- sysvinit-2.85/src/init.c.selinux 2005-10-14 14:16:24.000000000 -0400
+++ sysvinit-2.85/src/init.c 2005-10-14 14:16:24.000000000 -0400
@@ -48,6 +48,8 @@
#include <stdarg.h>
#include <sys/syslog.h>
#include <sys/time.h>
+#include <selinux/selinux.h>
+
#ifdef __i386__
# if (__GLIBC__ >= 2)
@@ -2513,6 +2515,7 @@
char *p;
int f;
int isinit;
+ int enforce = 0;
/* Get my own name */
if ((p = strrchr(argv[0], '/')) != NULL)
@@ -2576,6 +2579,20 @@
maxproclen += strlen(argv[f]) + 1;
}
+ if (getenv("SELINUX_INIT") == NULL) {
+ putenv("SELINUX_INIT=YES");
+ if (selinux_init_load_policy(&enforce) == 0 ) {
+ execv(myname, argv);
+ } else {
+ if (enforce > 0) {
+ /* SELinux in enforcing mode but load_policy failed */
+ /* At this point, we probably can't open /dev/console, so log() won't work */
+ printf("Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.\n");
+ exit(1);
+ }
+ }
+ }
+
/* Start booting. */
argv0 = argv[0];
argv[1] = NULL;
--- sysvinit-2.85/src/Makefile.selinux 2005-10-14 14:16:24.000000000 -0400
+++ sysvinit-2.85/src/Makefile 2005-10-14 14:16:24.000000000 -0400
@@ -32,7 +32,7 @@
all: $(PROGS)
init: init.o init_utmp.o
- $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o
+ $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o -lsepol -lselinux
halt: halt.o ifdown.o hddown.o utmp.o reboot.h
$(CC) $(LDFLAGS) -o $@ halt.o ifdown.o hddown.o utmp.o
@@ -50,7 +50,7 @@
$(CC) $(LDFLAGS) -o $@ runlevel.o
sulogin: sulogin.o md5_broken.o md5_crypt_broken.o
- $(CC) $(LDFLAGS) $(STATIC) -o $@ $^ $(LCRYPT)
+ $(CC) $(LDFLAGS) $(STATIC) -o $@ $^ $(LCRYPT) -lselinux
wall: dowall.o wall.o
$(CC) $(LDFLAGS) -o $@ dowall.o wall.o
--- sysvinit-2.85/src/sulogin.c.selinux 2005-10-14 14:16:24.000000000 -0400
+++ sysvinit-2.85/src/sulogin.c 2005-10-14 14:18:42.000000000 -0400
@@ -28,7 +28,9 @@
# include <crypt.h>
#endif
#include "md5.h"
+#include <selinux/selinux.h>
+#include <selinux/get_context_list.h>
#define CHECK_DES 1
#define CHECK_MD5 1
@@ -332,6 +335,19 @@
signal(SIGINT, SIG_DFL);
signal(SIGTSTP, SIG_DFL);
signal(SIGQUIT, SIG_DFL);
+ if (is_selinux_enabled > 0) {
+ security_context_t scon=NULL;
+ char *seuser=NULL;
+ char *level=NULL;
+ if (getseuserbyname("root", &seuser, &level) == 0)
+ if (get_default_context_with_level(seuser, level, 0, &scon) > 0) {
+ if (setexeccon(scon) != 0)
+ fprintf(stderr, "setexeccon faile\n");
+ freecon(scon);
+ }
+ free(seuser);
+ free(level);
+ }
execl(sushell, shell, NULL);
perror(sushell);
