[sysvinit-devel] sysvinit 2.88 and SELinux policy

sysvinit-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[sysvinit-devel] sysvinit 2.88 and SELinux policy

From:	Martin Orr
Subject:	[sysvinit-devel] sysvinit 2.88 and SELinux policy
Date:	Fri, 07 May 2010 19:24:27 +0100
User-agent:	Internet Messaging Program (IMP) H3 (4.0.5)

With sysvinit 2.88 my SELinux policy is not loaded on boot; withsysvinit 2.87 everything worked fine. I am running Debian; myinitramfs mounts /proc but does not know about SELinux.


Here are the two pieces of code:

Old code:
   if (getenv("SELINUX_INIT") == NULL && !is_selinux_enabled()) {
           putenv("SELINUX_INIT=YES");
           if (selinux_init_load_policy(&enforce) == 0 ) {
                   execv(myname, argv);
           } else {
                   if (enforce > 0) {

/* SELinux in enforcing mode butload_policy failed *//* At this point, we probably can't open/dev/console, so log() won't work */printf("Unable to load SELinux Policy.Machine is in enforcing mode. Halting now.\n");

                           exit(1);
                   }
           }
   }


New code:
   if (getenv("SELINUX_INIT") == NULL) {
     const int rc = mount("proc", "/proc", "proc", 0, 0);
     if (is_selinux_enabled() > 0) {
       putenv("SELINUX_INIT=YES");
       if (rc == 0) umount2("/proc", MNT_DETACH);
       if (selinux_init_load_policy(&enforce) == 0) {
         execv(myname, argv);
       } else {
         if (enforce > 0) {
           /* SELinux in enforcing mode but load_policy failed */

/* At this point, we probably can't open /dev/console, solog() won't work */fprintf(stderr,"Unable to load SELinux Policy. Machine isin enforcing mode. Halting now.\n");

           exit(1);
         }
       }
     }
     if (rc == 0) umount2("/proc", MNT_DETACH);
   }

The differences here are that the new code ensures that /proc ismounted, and !is_selinux_enabled() becomes (is_selinux_enabled() > 0).


I think the change was due to this:
http://thread.gmane.org/gmane.comp.security.selinux/13320
(is_selinux_enabled() returns -1 if /proc not mounted).

I am not clear what the purpose of this is_selinux_enabled() check is:is it to avoid loading policy if policy has already been loaded by theinitramfs, or is it to find out whether the system has been configuredto use SELinux?

If it is the first, then I think the test should be put back to!is_selinux_enabled() - since init ensures /proc is mounted that shouldwork with or without an initramfs.

If it is the second, then is_selinux_enabled() can't tell you thatbecause it only returns 1 after a policy has been loaded.


Best wishes,
Martin

[Prev in Thread]

Current Thread

[Next in Thread]

[sysvinit-devel] sysvinit 2.88 and SELinux policy, Martin Orr <=
- [sysvinit-devel] Re: sysvinit 2.88 and SELinux policy, Michal Svoboda, 2010/05/08
  - [sysvinit-devel] Re: [Pkg-sysvinit-devel] Bug#580272: sysvinit 2.88 and SELinux policy, Petter Reinholdtsen, 2010/05/12
    - [sysvinit-devel] Re: [Pkg-sysvinit-devel] Bug#580272: sysvinit 2.88 and SELinux policy, Martin Orr, 2010/05/12

Prev by Date: Re: [sysvinit-devel] Makefile generate empty directories for every invokation
Next by Date: [sysvinit-devel] Re: sysvinit 2.88 and SELinux policy
Previous by thread: [sysvinit-devel] Makefile generate empty directories for every invokation
Next by thread: [sysvinit-devel] Re: sysvinit 2.88 and SELinux policy
Index(es):
- Date
- Thread