rpms/SysVinit/devel SysVinit.spec, 1.28, 1.29 sysvinit-selinux.patch, 1.10, 1.11
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Fri Oct 14 18:33:23 UTC 2005
Author: dwalsh
Update of /cvs/dist/rpms/SysVinit/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv21474
Modified Files:
SysVinit.spec sysvinit-selinux.patch
Log Message:
* Fri Oct 14 2005 Dan Walsh <dwalsh at redhat.com> - 2.85-41
- replace load_policy with selinux_init_load_policy
- add getseuserbyname to sulogin
Index: SysVinit.spec
===================================================================
RCS file: /cvs/dist/rpms/SysVinit/devel/SysVinit.spec,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -r1.28 -r1.29
--- SysVinit.spec 30 Jun 2005 21:39:41 -0000 1.28
+++ SysVinit.spec 14 Oct 2005 18:33:02 -0000 1.29
@@ -1,7 +1,7 @@
Summary: Programs which control basic system processes.
Name: SysVinit
Version: 2.85
-Release: 40
+Release: 41
License: GPL
Group: System Environment/Base
Source: ftp://ftp.cistron.nl/pub/people/miquels/sysvinit/sysvinit-%{version}.tar.gz
@@ -60,6 +60,7 @@
%patch14 -p1 -b .make
%patch20 -p1 -b .console
%patch21 -p1 -b .selinux
+exit
%patch22 -p1 -b .argv
%patch23 -p1
%patch24 -p1 -b .readlink
@@ -122,6 +123,10 @@
/dev/initctl
%changelog
+* Fri Oct 14 2005 Dan Walsh <dwalsh at redhat.com> - 2.85-41
+- replace load_policy with selinux_init_load_policy
+- add getseuserbyname to sulogin
+
* Thu Jun 30 2005 Bill Nottingham <notting at redhat.com> - 2.85-40
- pidof: fix the fix for #85796, which broke the fix for #138788
sysvinit-selinux.patch:
Makefile | 9 ++++++---
init.c | 17 +++++++++++++++++
killall5.c | 17 ++++++++++++-----
sulogin.c | 18 +++++++++++++++++-
4 files changed, 52 insertions(+), 9 deletions(-)
Index: sysvinit-selinux.patch
===================================================================
RCS file: /cvs/dist/rpms/SysVinit/devel/sysvinit-selinux.patch,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- sysvinit-selinux.patch 25 Apr 2005 22:07:54 -0000 1.10
+++ sysvinit-selinux.patch 14 Oct 2005 18:33:03 -0000 1.11
@@ -1,173 +1,15 @@
---- sysvinit-2.85/src/init.c.selinux 2004-08-11 17:48:23.000000000 -0400
-+++ sysvinit-2.85/src/init.c 2004-08-12 06:25:30.166271148 -0400
-@@ -48,6 +48,11 @@
+--- sysvinit-2.85/src/init.c.selinux 2005-10-14 14:16:24.000000000 -0400
++++ sysvinit-2.85/src/init.c 2005-10-14 14:16:24.000000000 -0400
+@@ -48,6 +48,8 @@
#include <stdarg.h>
#include <sys/syslog.h>
#include <sys/time.h>
-+#include <sys/mman.h>
+#include <selinux/selinux.h>
-+#include <sepol/sepol.h>
-+#include <sys/mount.h>
+
#ifdef __i386__
# if (__GLIBC__ >= 2)
-@@ -103,6 +108,7 @@
- int dfl_level = 0; /* Default runlevel */
- sig_atomic_t got_cont = 0; /* Set if we received the SIGCONT signal */
- sig_atomic_t got_signals; /* Set if we received a signal. */
-+int enforcing = -1; /* SELinux enforcing mode */
- int emerg_shell = 0; /* Start emergency shell? */
- int wrote_wtmp_reboot = 1; /* Set when we wrote the reboot record */
- int wrote_utmp_reboot = 1; /* Set when we wrote the reboot record */
-@@ -187,6 +193,146 @@
- {NULL,0}
- };
-
-+/* Mount point for selinuxfs. */
-+#define SELINUXMNT "/selinux/"
-+
-+static int load_policy(int *enforce)
-+{
-+ int fd=-1,ret=-1;
-+ int rc=0, orig_enforce;
-+ struct stat sb;
-+ void *map;
-+ char policy_file[PATH_MAX];
-+ int policy_version=0;
-+ FILE *cfg;
-+ char buf[4096];
-+ int seconfig = -2;
-+
-+ selinux_getenforcemode(&seconfig);
-+
-+ mount("none", "/proc", "proc", 0, 0);
-+ cfg = fopen("/proc/cmdline","r");
-+ if (cfg) {
-+ char *tmp;
-+ if (fgets(buf,4096,cfg) && (tmp = strstr(buf,"enforcing="))) {
-+ if (tmp == buf || isspace(*(tmp-1))) {
-+ enforcing=atoi(tmp+10);
-+ }
-+ }
-+ fclose(cfg);
-+ }
-+#define MNT_DETACH 2
-+ umount2("/proc",MNT_DETACH);
-+
-+ if (enforcing >=0)
-+ *enforce = enforcing;
-+ else if (seconfig == 1)
-+ *enforce = 1;
-+
-+ if (mount("none", SELINUXMNT, "selinuxfs", 0, 0) < 0) {
-+ if (errno == ENODEV) {
-+ log(L_VB, "SELinux not supported by kernel: %s\n",SELINUXMNT,strerror(errno));
-+ *enforce = 0;
-+ } else {
-+ log(L_VB, "Failed to mount %s: %s\n",SELINUXMNT,strerror(errno));
-+ }
-+ return ret;
-+ }
-+
-+ set_selinuxmnt(SELINUXMNT); /* set manually since we mounted it */
-+
-+ policy_version=security_policyvers();
-+ if (policy_version < 0) {
-+ log(L_VB, "Can't get policy version: %s\n", strerror(errno));
-+ goto UMOUNT;
-+ }
-+
-+ orig_enforce = rc = security_getenforce();
-+ if (rc < 0) {
-+ log(L_VB, "Can't get SELinux enforcement flag: %s\n", strerror(errno));
-+ goto UMOUNT;
-+ }
-+ if (enforcing >= 0) {
-+ *enforce = enforcing;
-+ } else if (seconfig == -1) {
-+ *enforce = 0;
-+ rc = security_disable();
-+ if (rc == 0) umount(SELINUXMNT);
-+ if (rc < 0) {
-+ rc = security_setenforce(0);
-+ if (rc < 0) {
-+ log(L_VB, "Can't disable SELinux: %s\n", strerror(errno));
-+ goto UMOUNT;
-+ }
-+ }
-+ ret = 0;
-+ goto UMOUNT;
-+ } else if (seconfig >= 0) {
-+ *enforce = seconfig;
-+ if (orig_enforce != *enforce) {
-+ rc = security_setenforce(seconfig);
-+ if (rc < 0) {
-+ log(L_VB, "Can't set SELinux enforcement flag: %s\n", strerror(errno));
-+ goto UMOUNT;
-+ }
-+ }
-+ }
-+
-+ snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version);
-+ fd = open(policy_file, O_RDONLY);
-+ if (fd < 0) {
-+ /* Check previous version to see if old policy is available
-+ */
-+ snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version-1);
-+ fd = open(policy_file, O_RDONLY);
-+ if (fd < 0) {
-+ log(L_VB, "Can't open '%s.%d': %s\n",
-+ selinux_binary_policy_path(),policy_version,strerror(errno));
-+ goto UMOUNT;
-+ }
-+ }
-+
-+ if (fstat(fd, &sb) < 0) {
-+ log(L_VB, "Can't stat '%s': %s\n",
-+ policy_file, strerror(errno));
-+ goto UMOUNT;
-+ }
-+
-+ map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
-+ if (map == MAP_FAILED) {
-+ log(L_VB, "Can't map '%s': %s\n",
-+ policy_file, strerror(errno));
-+ goto UMOUNT;
-+ }
-+
-+
-+ /* Set booleans based on a booleans configuration file. */
-+ ret = sepol_genbools(map, sb.st_size, selinux_booleans_path());
-+ if (ret < 0) {
-+ if (errno == ENOENT || errno == EINVAL) {
-+ /* No booleans file or stale booleans in the file; non-fatal. */
-+ log(L_VB,"Warning! Error while setting booleans: %s\n"
-+ , strerror(errno));
-+ } else {
-+ log(L_VB,"Error while setting booleans: %s\n",
-+ strerror(errno));
-+ goto UMOUNT;
-+ }
-+ }
-+ log(L_VB, "Loading security policy\n");
-+ ret=security_load_policy(map, sb.st_size);
-+ if (ret < 0) {
-+ log(L_VB, "security_load_policy failed\n");
-+ }
-+
-+UMOUNT:
-+ /*umount(SELINUXMNT); */
-+ if ( fd >= 0) {
-+ close(fd);
-+ }
-+ return(ret);
-+}
-+
- /*
- * Sleep a number of seconds.
- *
-@@ -2513,6 +2658,7 @@
+@@ -2513,6 +2515,7 @@
char *p;
int f;
int isinit;
@@ -175,13 +17,13 @@
/* Get my own name */
if ((p = strrchr(argv[0], '/')) != NULL)
-@@ -2576,6 +2722,20 @@
+@@ -2576,6 +2579,20 @@
maxproclen += strlen(argv[f]) + 1;
}
+ if (getenv("SELINUX_INIT") == NULL) {
+ putenv("SELINUX_INIT=YES");
-+ if (load_policy(&enforce) == 0 ) {
++ if (selinux_init_load_policy(&enforce) == 0 ) {
+ execv(myname, argv);
+ } else {
+ if (enforce > 0) {
@@ -196,8 +38,41 @@
/* Start booting. */
argv0 = argv[0];
argv[1] = NULL;
---- sysvinit-2.85/src/sulogin.c.selinux 2004-08-11 17:48:22.000000000 -0400
-+++ sysvinit-2.85/src/sulogin.c 2004-08-11 17:48:23.000000000 -0400
+--- sysvinit-2.85/src/Makefile.selinux 2005-10-14 14:16:24.000000000 -0400
++++ sysvinit-2.85/src/Makefile 2005-10-14 14:16:24.000000000 -0400
+@@ -32,7 +32,7 @@
+ all: $(PROGS)
+
+ init: init.o init_utmp.o
+- $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o
++ $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o -lsepol -lselinux
+
+ halt: halt.o ifdown.o hddown.o utmp.o reboot.h
+ $(CC) $(LDFLAGS) -o $@ halt.o ifdown.o hddown.o utmp.o
+@@ -50,7 +50,7 @@
+ $(CC) $(LDFLAGS) -o $@ runlevel.o
+
+ sulogin: sulogin.o md5_broken.o md5_crypt_broken.o
+- $(CC) $(LDFLAGS) $(STATIC) -o $@ $^ $(LCRYPT)
++ $(CC) $(LDFLAGS) $(STATIC) -DWITH_SELINUX -o $@ $^ $(LCRYPT) -lselinux
+
+ wall: dowall.o wall.o
+ $(CC) $(LDFLAGS) -o $@ dowall.o wall.o
+@@ -61,8 +61,11 @@
+ bootlogd: bootlogd.o
+ $(CC) $(LDFLAGS) -o $@ bootlogd.o
+
++sulogin.o: sulogin.c
++ $(CC) -c $(CFLAGS) -DWITH_SELINUX sulogin.c
++
+ init.o: init.c init.h set.h reboot.h
+- $(CC) -c $(CFLAGS) init.c
++ $(CC) -c $(CFLAGS) -DWITH_SELINUX init.c
+
+ utmp.o: utmp.c init.h
+ $(CC) -c $(CFLAGS) utmp.c
+--- sysvinit-2.85/src/sulogin.c.selinux 2005-10-14 14:16:24.000000000 -0400
++++ sysvinit-2.85/src/sulogin.c 2005-10-14 14:18:42.000000000 -0400
@@ -28,7 +28,10 @@
# include <crypt.h>
#endif
@@ -210,25 +85,28 @@
#define CHECK_DES 1
#define CHECK_MD5 1
-@@ -332,6 +335,16 @@
+@@ -332,6 +335,19 @@
signal(SIGINT, SIG_DFL);
signal(SIGTSTP, SIG_DFL);
signal(SIGQUIT, SIG_DFL);
+#ifdef WITH_SELINUX
+ if (is_selinux_enabled > 0) {
+ security_context_t* contextlist=NULL;
-+ if (get_ordered_context_list("root", 0, &contextlist) > 0) {
-+ if (setexeccon(contextlist[0]) != 0)
-+ fprintf(stderr, "setexeccon faile\n");
-+ freeconary(contextlist);
-+ }
++ char *seuser=NULL;
++ char *level=NULL;
++ if (getseuserbyname("root", &seuser, &level) == 0)
++ if (get_ordered_context_list_with_level(seuser, level, 0, &contextlist) > 0) {
++ if (setexeccon(contextlist[0]) != 0)
++ fprintf(stderr, "setexeccon faile\n");
++ freeconary(contextlist);
++ }
+ }
+#endif
execl(sushell, shell, NULL);
perror(sushell);
---- sysvinit-2.85/src/killall5.c.selinux 2004-08-11 17:48:22.000000000 -0400
-+++ sysvinit-2.85/src/killall5.c 2004-08-11 17:48:23.000000000 -0400
+--- sysvinit-2.85/src/killall5.c.selinux 2005-10-14 14:16:24.000000000 -0400
++++ sysvinit-2.85/src/killall5.c 2005-10-14 14:16:24.000000000 -0400
@@ -144,8 +144,11 @@
/*
@@ -248,17 +126,13 @@
}
- p->sid = getsid(pid);
- if (p->sid < 0) {
-- p->sid = 0;
-- nsyslog(LOG_ERR, "can't read sid for pid %d\n", pid);
-- free(p);
-- continue;
+ if (needSid) {
+ p->sid = getsid(pid);
+ if (p->sid < 0) {
-+ p->sid = 0;
-+ nsyslog(LOG_ERR, "can't read sid for pid %d\n", pid);
-+ free(p);
-+ continue;
+ p->sid = 0;
+ nsyslog(LOG_ERR, "can't read sid for pid %d\n", pid);
+ free(p);
+ continue;
+ }
+ } else {
+ p->sid = 0;
@@ -283,36 +157,3 @@
kill(-1, SIGCONT);
exit(1);
}
---- sysvinit-2.85/src/Makefile.selinux 2004-08-11 17:48:23.000000000 -0400
-+++ sysvinit-2.85/src/Makefile 2004-08-12 00:08:39.000000000 -0400
-@@ -32,7 +32,7 @@
- all: $(PROGS)
-
- init: init.o init_utmp.o
-- $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o
-+ $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o -lsepol -lselinux
-
- halt: halt.o ifdown.o hddown.o utmp.o reboot.h
- $(CC) $(LDFLAGS) -o $@ halt.o ifdown.o hddown.o utmp.o
-@@ -50,7 +50,7 @@
- $(CC) $(LDFLAGS) -o $@ runlevel.o
-
- sulogin: sulogin.o md5_broken.o md5_crypt_broken.o
-- $(CC) $(LDFLAGS) $(STATIC) -o $@ $^ $(LCRYPT)
-+ $(CC) $(LDFLAGS) $(STATIC) -DWITH_SELINUX -o $@ $^ $(LCRYPT) -lselinux
-
- wall: dowall.o wall.o
- $(CC) $(LDFLAGS) -o $@ dowall.o wall.o
-@@ -61,8 +61,11 @@
- bootlogd: bootlogd.o
- $(CC) $(LDFLAGS) -o $@ bootlogd.o
-
-+sulogin.o: sulogin.c
-+ $(CC) -c $(CFLAGS) -DWITH_SELINUX sulogin.c
-+
- init.o: init.c init.h set.h reboot.h
-- $(CC) -c $(CFLAGS) init.c
-+ $(CC) -c $(CFLAGS) -DWITH_SELINUX init.c
-
- utmp.o: utmp.c init.h
- $(CC) -c $(CFLAGS) utmp.c
More information about the fedora-cvs-commits
mailing list