[RFC] change policy loading to initramfs

Thu Jan 24 21:31:49 UTC 2008

Peter Jones (pjones at redhat.com) said: 
> This is what I get for coding during budget meetings.

Here's an updated patch (tested) that incorporates your changes.

At the moment, while load_policy -i would work, I'm not sure it's best
for Fedora right now as it would require pulling chroot into the initrd,
and handling return code checking in nash's not-quite-a-shell environment.
It's actually simpler to just call the policy load directly.

Bill
-------------- next part --------------
diff -up mkinitrd-6.0.28/nash/nash.c.foo mkinitrd-6.0.28/nash/nash.c

--- mkinitrd-6.0.28/nash/nash.c.foo	2008-01-09 12:12:28.000000000 -0500
+++ mkinitrd-6.0.28/nash/nash.c	2008-01-24 16:28:20.000000000 -0500
@@ -60,6 +60,8 @@
 
 #include <libdevmapper.h>
 
+#include <selinux/selinux.h>
+
 #include <bdevid.h>
 
 #include <nash.h>
@@ -1718,6 +1720,54 @@ mkdirCommand(char * cmd, char * end)
     return 0;
 }
 
+
+static int
+loadPolicyCommand(char * cmd, char *end)
+{
+    int enforce = 0;
+    int rootfd;
+
+    rootfd = open("/", O_DIRECTORY|O_RDONLY);
+
+    if (rootfd < 0) {
+        eprintf("loadpolicy: could not open directory: %m\n");
+        return 1;
+    }
+    
+    if (chdir("/sysroot") != 0) {
+        eprintf("loadpolicy: unable to change directory: %m\n");
+        close(rootfd);
+        return 1;
+    }
+
+    if (chroot("/sysroot") != 0) {
+        eprintf("loadpolicy: chroot failed: %m\n");
+        close(rootfd);
+        return 1;
+    }
+
+    if (selinux_init_load_policy(&enforce) != 0 && enforce > 0) {
+        eprintf("Unable to load SELinux policy (%m). Halting now.\n");
+        sleep(-1);
+        exit(1);
+    }
+
+    if (fchdir(rootfd) < 0) {
+        eprintf("loadpolicy: unable to change directory: %m\n");
+        sleep(-1);
+        exit(1);
+    }
+
+    if (chroot("..") < 0) {
+        eprintf("loadpolicy: chroot failed: %m\n");
+        sleep(-1);
+        exit(1);
+    }
+
+    close(rootfd);
+    return 0;
+}
+
 static int
 accessCommand(char * cmd, char * end)
 {
@@ -2728,6 +2778,7 @@ static const struct commandHandler handl
     { "find", findCommand },
     { "kernelopt", printKernelOpt },
     { "loadDrivers", loadDriversCommand },
+    { "loadpolicy", loadPolicyCommand },
     { "mkblktab", mkblktabCommand },
     { "mkblkdevs", mkblkdevsCommand },
     { "mkdir", mkdirCommand },
diff -up mkinitrd-6.0.28/mkinitrd.foo mkinitrd-6.0.28/mkinitrd
--- mkinitrd-6.0.28/mkinitrd.foo	2008-01-23 17:09:26.000000000 -0500
+++ mkinitrd-6.0.28/mkinitrd	2008-01-23 17:10:23.000000000 -0500
@@ -1692,6 +1692,13 @@ if [ -n "$dhclient_leases_cmd" ]; then
     emit "$dhclient_leases_cmd"
 fi
 
+SELINUX=
+[ -f /etc/selinux/config ] && . /etc/selinux/config
+if [ -n "$SELINUX" -a "$SELINUX" != "disabled" ]; then
+    emit "echo Loading SELinux policy."
+    emit "loadpolicy"
+fi
+
 emit "echo Switching to new root and running init."
 emit "switchroot"
 emit "echo Booting has failed."
