[Initng-svn] r4066 - in initng/trunk: . plugins plugins/selinux src

svn at initng.thinktux.net svn at initng.thinktux.net
Mon May 8 13:27:37 CEST 2006 

Author: jimmy
Date: Mon May  8 13:27:36 2006
New Revision: 4066

Added:
   initng/trunk/plugins/selinux/
   initng/trunk/plugins/selinux/CMakeLists.txt
   initng/trunk/plugins/selinux/PLUGIN_DESCRIPTION
   initng/trunk/plugins/selinux/initng_selinux.c
Modified:
   initng/trunk/CMakeLists.txt
   initng/trunk/plugins/CMakeLists.txt
   initng/trunk/plugins/bash_launcher/initng_bash_launcher.c
   initng/trunk/src/main.c

Log:
Move all selinux code to an own plugin.
This is totally untested sience i dont have an selinux machine to test on.


Modified: initng/trunk/CMakeLists.txt
==============================================================================
--- initng/trunk/CMakeLists.txt	(original)
+++ initng/trunk/CMakeLists.txt	Mon May  8 13:27:36 2006
@@ -78,6 +78,7 @@
 OPTION(BUILD_RELOAD "Build reload plugin" ON)
 OPTION(BUILD_RENICE "Build renice plugin" ON)
 OPTION(BUILD_RLPARSER "Build rlparser plugin" ON)
+OPTION(BUILD_SELINUX "Build selinux plugin" OFF)
 OPTION(BUILD_SIMPLE_LAUNCHER "Build simple_launcher plugin" ON)
 OPTION(BUILD_USPLASH "Build usplash plugin" OFF)
 OPTION(BUILD_STCMD "Build stcmd plugin" ON)

Modified: initng/trunk/plugins/CMakeLists.txt
==============================================================================
--- initng/trunk/plugins/CMakeLists.txt	(original)
+++ initng/trunk/plugins/CMakeLists.txt	Mon May  8 13:27:36 2006
@@ -128,6 +128,10 @@
 	ADD_SUBDIRECTORY( rlparser )
 ENDIF(BUILD_RLPARSER)
 
+IF(BUILD_SELINUX)
+	ADD_SUBDIRECTORY( selinux )
+ENDIF(BUILD_SELINUX)
+
 IF(BUILD_SIMPLE_LAUNCHER)
 	ADD_SUBDIRECTORY( simple_launcher )
 ENDIF(BUILD_SIMPLE_LAUNCHER)

Modified: initng/trunk/plugins/bash_launcher/initng_bash_launcher.c
==============================================================================
--- initng/trunk/plugins/bash_launcher/initng_bash_launcher.c	(original)
+++ initng/trunk/plugins/bash_launcher/initng_bash_launcher.c	Mon May  8 13:27:36 2006
@@ -32,10 +32,6 @@
 #include <pwd.h>
 #include <sys/stat.h>
 #include <errno.h>
-#ifdef SELINUX
-#include <selinux/selinux.h>
-#include <selinux/context.h>
-#endif
 
 #ifdef BUSYBOX
 #include "../../busybox-1.00/include/busybox.h"
@@ -59,9 +55,6 @@
 s_entry SCRIPT_OPT = { "script_opt", VARIABLE_STRING, NULL,
 	"The options bash should get."
 };
-s_entry SELINUX_CONTEXT = { "selinux_context", STRING, NULL,
-	"The selinux context to start in."
-};
 
 static void bash_this(const char *bash_code, active_db_h * s,
 					  const char *args);
@@ -122,47 +115,9 @@
 		argtmp[3] = i_strdup(args);
 	argtmp[4] = NULL;
 
-#ifdef SELINUX
-	const char *selinux_context = get_string(&SELINUX_CONTEXT, s);
-	char *sestr = NULL;
-	context_t seref = NULL;
-	int rc = 0;
-	char *sedomain;
-
-	if (selinux_context)
-	{
-		sedomain = (char *) malloc((sizeof(char) * strlen(selinux_context) +
-									1));
-		strcpy(sedomain, selinux_context);
-	}
-	else
-	{
-		sedomain = (char *) malloc((sizeof(char) * 9));
-		strcpy(sedomain, "initrc_t");
-	}
-	rc = getcon(&sestr);
-	if (rc < 0)
-		goto fail;
-	seref = context_new(sestr);
-	if (!seref)
-		goto fail;
-	if (context_type_set(seref, sedomain))
-		goto fail;
-	freecon(sestr);
-	sestr = context_str(seref);
-	if (!sestr)
-		goto fail;
-	rc = setexeccon(sestr);
-	if (rc < 0)
-		goto fail;
-#endif
-
 	/* execute */
 	execve("/bin/sh", argtmp, new_environ(s));
-#ifdef SELINUX
-  fail:
-	F_("bash_this(): could not change selinux context!\n ERROR!\n");
-#endif
+
 	/* free them all */
 	{
 		int i = 0;
@@ -232,7 +187,6 @@
 
 	initng_service_data_type_register(&SCRIPT);
 	initng_service_data_type_register(&SCRIPT_OPT);
-	initng_service_data_type_register(&SELINUX_CONTEXT);
 
 	initng_plugin_hook_register(&g.LAUNCH, 51, &initng_bash);
 	return (TRUE);
@@ -242,7 +196,6 @@
 {
 	initng_service_data_type_unregister(&SCRIPT);
 	initng_service_data_type_unregister(&SCRIPT_OPT);
-	initng_service_data_type_unregister(&SELINUX_CONTEXT);
 
 	D_("initng_simple_plugin: module_unload();\n");
 	initng_plugin_hook_unregister(&g.LAUNCH, &initng_bash);

Modified: initng/trunk/src/main.c
==============================================================================
--- initng/trunk/src/main.c	(original)
+++ initng/trunk/src/main.c	Mon May  8 13:27:36 2006
@@ -43,10 +43,6 @@
 #include <sys/un.h>							/* memmove() strcmp() */
 #include <sys/wait.h>						/* waitpid() sa */
 #include <sys/mount.h>
-#ifdef SELINUX
-#include <selinux/selinux.h>
-#include <sepol/sepol.h>
-#endif
 
 #include "initng_global.h"
 #include "initng_signal.h"
@@ -64,209 +60,6 @@
 #include "initng_global.h"
 
 #define TIMEOUT 60000
-#ifdef SELINUX
-/*older code no longer needed on FC5 and FCX (X>=5) */
-#ifdef OLDSELINUX
-/* Mount point for selinuxfs. */
-#define SELINUXMNT "/selinux/"
-int enforcing = -1;
-
-static int load_policy(int *enforce)
-{
-	int fd = -1, ret = -1;
-	size_t data_size;
-	int rc = 0, orig_enforce;
-	struct stat sb;
-	void *map, *data;
-	char policy_file[PATH_MAX];
-	int policy_version = 0;
-	FILE *cfg;
-	char buf[4096];
-	int seconfig = -2;
-	char *nonconst;				//Ugly hack!
-
-	selinux_getenforcemode(&seconfig);
-
-	mount("none", "/proc", "proc", 0, 0);
-	cfg = fopen("/proc/cmdline", "r");
-	if (cfg)
-	{
-		char *tmp;
-
-		if (fgets(buf, 4096, cfg) && (tmp = strstr(buf, "enforcing=")))
-		{
-			if (tmp == buf || isspace(*(tmp - 1)))
-			{
-				enforcing = atoi(tmp + 10);
-			}
-		}
-		fclose(cfg);
-	}
-#define MNT_DETACH 2
-	umount2("/proc", MNT_DETACH);
-
-	if (enforcing >= 0)
-		*enforce = enforcing;
-	else if (seconfig == 1)
-		*enforce = 1;
-
-	if (mount("none", SELINUXMNT, "selinuxfs", 0, 0) < 0)
-	{
-		if (errno == ENODEV)
-		{
-			fprintf(stderr, "SELinux not supported by kernel: %s\n",
-					strerror(errno));
-			*enforce = 0;
-		}
-		else
-		{
-			fprintf(stderr, "Failed to mount %s: %s\n", SELINUXMNT,
-					strerror(errno));
-		}
-		return ret;
-	}
-
-	nonconst = malloc(sizeof(SELINUXMNT));
-	strcpy(nonconst, SELINUXMNT);
-	set_selinuxmnt(nonconst);				/* set manually since we mounted it */
-	free(nonconst);
-
-	policy_version = security_policyvers();
-	if (policy_version < 0)
-	{
-		fprintf(stderr, "Can't get policy version: %s\n", strerror(errno));
-		goto UMOUNT;
-	}
-
-	orig_enforce = rc = security_getenforce();
-	if (rc < 0)
-	{
-		fprintf(stderr, "Can't get SELinux enforcement flag: %s\n",
-				strerror(errno));
-		goto UMOUNT;
-	}
-	if (enforcing >= 0)
-	{
-		*enforce = enforcing;
-	}
-	else if (seconfig == -1)
-	{
-		*enforce = 0;
-		rc = security_disable();
-		if (rc == 0)
-			umount(SELINUXMNT);
-		if (rc < 0)
-		{
-			rc = security_setenforce(0);
-			if (rc < 0)
-			{
-				fprintf(stderr, "Can't disable SELinux: %s\n",
-						strerror(errno));
-				goto UMOUNT;
-			}
-		}
-		ret = 0;
-		goto UMOUNT;
-	}
-	else if (seconfig >= 0)
-	{
-		*enforce = seconfig;
-		if (orig_enforce != *enforce)
-		{
-			rc = security_setenforce(seconfig);
-			if (rc < 0)
-			{
-				fprintf(stderr, "Can't set SELinux enforcement flag: %s\n",
-						strerror(errno));
-				goto UMOUNT;
-			}
-		}
-	}
-
-	snprintf(policy_file, sizeof(policy_file), "%s.%d",
-			 selinux_binary_policy_path(), policy_version);
-	fd = open(policy_file, O_RDONLY);
-	if (fd < 0)
-	{
-		/* Check previous version to see if old policy is available
-		 */
-		snprintf(policy_file, sizeof(policy_file), "%s.%d",
-				 selinux_binary_policy_path(), policy_version - 1);
-		fd = open(policy_file, O_RDONLY);
-		if (fd < 0)
-		{
-			fprintf(stderr, "Can't open '%s.%d':  %s\n",
-					selinux_binary_policy_path(), policy_version,
-					strerror(errno));
-			goto UMOUNT;
-		}
-	}
-
-	if (fstat(fd, &sb) < 0)
-	{
-		fprintf(stderr, "Can't stat '%s':  %s\n",
-				policy_file, strerror(errno));
-		goto UMOUNT;
-	}
-
-	map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
-	if (map == MAP_FAILED)
-	{
-		fprintf(stderr, "Can't map '%s':  %s\n",
-				policy_file, strerror(errno));
-		goto UMOUNT;
-	}
-
-
-	/* Set SELinux users based on a local.users configuration file. */
-	ret = sepol_genusers(map, sb.st_size, selinux_users_path(), &data,
-						 &data_size);
-	if (ret < 0)
-	{
-		fprintf(stderr,
-				"Warning!  Error while reading user configuration from %s/{local.users,system.users}:  %s\n",
-				selinux_users_path(), strerror(errno));
-		data = map;
-		data_size = sb.st_size;
-	}
-
-	/* Set booleans based on a booleans configuration file. */
-	nonconst = malloc(sizeof(selinux_booleans_path()));
-	strcpy(nonconst, selinux_booleans_path());
-	ret = sepol_genbools(data, data_size, nonconst);
-	free(nonconst);
-	if (ret < 0)
-	{
-		if (errno == ENOENT || errno == EINVAL)
-		{
-			/* No booleans file or stale booleans in the file; non-fatal. */
-			fprintf(stderr, "Warning!  Error while setting booleans:  %s\n",
-					strerror(errno));
-		}
-		else
-		{
-			fprintf(stderr, "Error while setting booleans:  %s\n",
-					strerror(errno));
-			goto UMOUNT;
-		}
-	}
-	fprintf(stderr, "Loading security policy\n");
-	ret = security_load_policy(data, data_size);
-	if (ret < 0)
-	{
-		fprintf(stderr, "security_load_policy failed\n");
-	}
-
-  UMOUNT:
-	/*umount(SELINUXMNT); */
-	if (fd >= 0)
-	{
-		close(fd);
-	}
-	return (ret);
-}
-#endif
-#endif
 
 static void setup_console(void)
 {
@@ -380,65 +173,6 @@
 #ifdef DEBUG
 	int loop_counter = 0;		/* counts how many times the main_loop has run */
 #endif
-#ifdef SELINUX
-#ifdef OLDSELINUX
-	if ((fopen("/selinux/enforce", "r")) != NULL)
-		goto BOOT;
-	int enforce = -1;
-	char *nonconst;
-
-	if (getenv("SELINUX_INIT") == NULL)
-	{
-		nonconst = malloc(sizeof("SELINUX_INIT=YES"));
-		strcpy(nonconst, "SELINUX_INIT=YES");
-		putenv(nonconst);
-		free(nonconst);
-		if (load_policy(&enforce) == 0)
-		{
-			execv(argv[0], argv);
-		}
-		else
-		{
-			if (enforce > 0)
-			{
-				/* SELinux in enforcing mode but load_policy failed */
-				/* At this point, we probably can't open /dev/console, so log() won't work */
-				fprintf(stderr,
-						"Enforcing mode requested but no policy loaded. Halting now.\n");
-				exit(1);
-			}
-		}
-	}
-
-  BOOT:
-#endif
-#ifndef OLDSELINUX
-	int enforce = 0;
-	char *envstr;
-
-	if (getenv("SELINUX_INIT") == NULL)
-	{
-		envstr = malloc(sizeof("SELINUX_INIT=YES"));
-		strcpy(envstr, "SELINUX_INIT=YES");
-		putenv(envstr);
-		if (selinux_init_load_policy(&enforce) == 0)
-		{
-			execv(argv[0], argv);
-		}
-		else
-		{
-			if (enforce > 0)
-			{
-				/* SELinux in enforcing mode but load_policy failed */
-				/* At this point, we probably can't open /dev/console, so log() won't work */
-				fprintf(stderr,
-						"Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.");
-				exit(1);
-			}
-		}
-	}
-#endif
-#endif
 	S_;
 
 	/* maby initng is launched only for getting the version */

More information about the Initng-svn mailing list