diff options
| author |   Chris PeBenito <pebenito@gentoo.org> | 2005-01-04 02:03:14 +0000 |
|---|---|---|
| committer | Chris PeBenito <pebenito@gentoo.org> | 2005-01-04 02:03:14 +0000 |
| commit | 80e498af51742411c48c99615d6a14d43ca2edb8 (patch) | |
| tree | 7dff705547d494433e468a4907dc114133291968 /sys-apps | |
| parent | Added app-arch/cpio-2.5.90. (diff) | |
| download | gentoo-2-80e498af51742411c48c99615d6a14d43ca2edb8.tar.gz gentoo-2-80e498af51742411c48c99615d6a14d43ca2edb8.tar.bz2 gentoo-2-80e498af51742411c48c99615d6a14d43ca2edb8.zip | |
fix up 2.86 selinux patch
Diffstat (limited to 'sys-apps')
| -rw-r--r-- | sys-apps/sysvinit/ChangeLog | 9 | ||||
| -rw-r--r-- | sys-apps/sysvinit/files/2.86-selinux.patch | 94 | ||||
| -rw-r--r-- | sys-apps/sysvinit/files/sysvinit-2.86-selinux.patch | 242 | ||||
| -rw-r--r-- | sys-apps/sysvinit/sysvinit-2.86.ebuild | 4 |
4 files changed, 66 insertions, 283 deletions
diff --git a/sys-apps/sysvinit/ChangeLog b/sys-apps/sysvinit/ChangeLog index fdc2e48373cc..3f1ca327ae12 100644 --- a/sys-apps/sysvinit/ChangeLog +++ b/sys-apps/sysvinit/ChangeLog @@ -1,6 +1,11 @@ # ChangeLog for sys-apps/sysvinit -# Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-apps/sysvinit/ChangeLog,v 1.15 2004/12/22 03:25:20 vapier Exp $ +# Copyright 2002-2005 Gentoo Foundation; Distributed under the GPL v2 +# $Header: /var/cvsroot/gentoo-x86/sys-apps/sysvinit/ChangeLog,v 1.16 2005/01/04 02:03:14 pebenito Exp $ + + 03 Jan 2005; Chris PeBenito <pebenito@gentoo.org> + files/2.86-selinux.patch, -files/sysvinit-2.86-selinux.patch, + sysvinit-2.86.ebuild: + Fix up SELinux patch for 2.86. *sysvinit-2.86 (21 Dec 2004) diff --git a/sys-apps/sysvinit/files/2.86-selinux.patch b/sys-apps/sysvinit/files/2.86-selinux.patch index 9bda14ef63a7..3110bc52befb 100644 --- a/sys-apps/sysvinit/files/2.86-selinux.patch +++ b/sys-apps/sysvinit/files/2.86-selinux.patch @@ -1,24 +1,31 @@ ---- sysvinit-2.85/src/Makefile.selinux 2004-06-09 15:28:47.439412648 -0400 -+++ sysvinit-2.85/src/Makefile 2004-06-09 15:28:47.517400792 -0400 -@@ -12,2 +12,4 @@ +diff -urN sysvinit-2.86.orig/src/Makefile sysvinit-2.86/src/Makefile +--- sysvinit-2.86.orig/src/Makefile 2004-06-09 08:47:45.000000000 -0400 ++++ sysvinit-2.86/src/Makefile 2005-01-03 20:25:59.922659928 -0500 +@@ -12,6 +12,8 @@ + CFLAGS = -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE + LDFLAGS = -s STATIC = +CFLAGS += -DWITH_SELINUX -+LDFLAGS += -lselinux ++LDFLAGS += -lselinux -lsepol ---- sysvinit-2.85/src/init.c.selinux 2004-06-09 15:28:47.478406720 -0400 -+++ sysvinit-2.85/src/init.c 2004-06-09 15:29:03.208015456 -0400 -@@ -48,6 +48,10 @@ + # For some known distributions we do not build all programs, otherwise we do. + BIN = +diff -urN sysvinit-2.86.orig/src/init.c sysvinit-2.86/src/init.c +--- sysvinit-2.86.orig/src/init.c 2004-07-30 08:16:20.000000000 -0400 ++++ sysvinit-2.86/src/init.c 2005-01-03 20:46:39.485217776 -0500 +@@ -42,6 +42,11 @@ #include <stdarg.h> #include <sys/syslog.h> #include <sys/time.h> +#include <sys/mman.h> +#include <selinux/selinux.h> ++#include <sepol/sepol.h> +#include <sys/mount.h> + #ifdef __i386__ # if (__GLIBC__ >= 2) -@@ -103,6 +107,7 @@ +@@ -104,6 +109,7 @@ int dfl_level = 0; /* Default runlevel */ sig_atomic_t got_cont = 0; /* Set if we received the SIGCONT signal */ sig_atomic_t got_signals; /* Set if we received a signal. */ @@ -26,9 +33,9 @@ int emerg_shell = 0; /* Start emergency shell? */ int wrote_wtmp_reboot = 1; /* Set when we wrote the reboot record */ int wrote_utmp_reboot = 1; /* Set when we wrote the reboot record */ -@@ -187,6 +192,130 @@ - {NULL,0} - }; +@@ -192,6 +198,142 @@ + char *extra_env[NR_EXTRA_ENV]; + +/* Mount point for selinuxfs. */ +#define SELINUXMNT "/selinux/" @@ -36,12 +43,11 @@ +static int load_policy(int *enforce) +{ + int fd=-1,ret=-1; -+ int rc=0; ++ int rc=0, orig_enforce; + struct stat sb; + void *map; + char policy_file[PATH_MAX]; + int policy_version=0; -+ extern char *selinux_mnt; + FILE *cfg; + char buf[4096]; + int seconfig = -2; @@ -69,25 +75,25 @@ + + if (mount("none", SELINUXMNT, "selinuxfs", 0, 0) < 0) { + if (errno == ENODEV) { -+ log(L_VB, "SELinux not supported by kernel: %s\n",SELINUXMNT,strerror(errno)); ++ initlog(L_VB, "SELinux not supported by kernel: %s\n",SELINUXMNT,strerror(errno)); + *enforce = 0; + } else { -+ log(L_VB, "Failed to mount %s: %s\n",SELINUXMNT,strerror(errno)); ++ initlog(L_VB, "Failed to mount %s: %s\n",SELINUXMNT,strerror(errno)); + } + return ret; + } + -+ selinux_mnt = SELINUXMNT; /* set manually since we mounted it */ ++ set_selinuxmnt(SELINUXMNT); /* set manually since we mounted it */ + + policy_version=security_policyvers(); + if (policy_version < 0) { -+ log(L_VB, "Can't get policy version: %s\n", strerror(errno)); ++ initlog(L_VB, "Can't get policy version: %s\n", strerror(errno)); + goto UMOUNT; + } + -+ rc = security_getenforce(); ++ orig_enforce = rc = security_getenforce(); + if (rc < 0) { -+ log(L_VB, "Can't get SELinux enforcement flag: %s\n", strerror(errno)); ++ initlog(L_VB, "Can't get SELinux enforcement flag: %s\n", strerror(errno)); + goto UMOUNT; + } + if (enforcing >= 0) { @@ -99,7 +105,7 @@ + if (rc < 0) { + rc = security_setenforce(0); + if (rc < 0) { -+ log(L_VB, "Can't disable SELinux: %s\n", strerror(errno)); ++ initlog(L_VB, "Can't disable SELinux: %s\n", strerror(errno)); + goto UMOUNT; + } + } @@ -107,10 +113,12 @@ + goto UMOUNT; + } else if (seconfig >= 0) { + *enforce = seconfig; -+ rc = security_setenforce(seconfig); -+ if (rc < 0) { -+ log(L_VB, "Can't set SELinux enforcement flag: %s\n", strerror(errno)); -+ goto UMOUNT; ++ if (orig_enforce != *enforce) { ++ rc = security_setenforce(seconfig); ++ if (rc < 0) { ++ initlog(L_VB, "Can't set SELinux enforcement flag: %s\n", strerror(errno)); ++ goto UMOUNT; ++ } + } + } + @@ -122,28 +130,39 @@ + snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version-1); + fd = open(policy_file, O_RDONLY); + if (fd < 0) { -+ log(L_VB, "Can't open '%s.%d': %s\n", ++ initlog(L_VB, "Can't open '%s.%d': %s\n", + selinux_binary_policy_path(),policy_version,strerror(errno)); + goto UMOUNT; + } + } + + if (fstat(fd, &sb) < 0) { -+ log(L_VB, "Can't stat '%s': %s\n", ++ initlog(L_VB, "Can't stat '%s': %s\n", + policy_file, strerror(errno)); + goto UMOUNT; + } + -+ map = mmap(NULL, sb.st_size, PROT_READ, MAP_SHARED, fd, 0); ++ map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); + if (map == MAP_FAILED) { -+ log(L_VB, "Can't map '%s': %s\n", ++ initlog(L_VB, "Can't map '%s': %s\n", + policy_file, strerror(errno)); + goto UMOUNT; + } -+ log(L_VB, "Loading security policy\n"); ++ ++ ++ /* Set booleans based on a booleans configuration file. */ ++ ret = sepol_genbools(map, sb.st_size, selinux_booleans_path()); ++ if (ret < 0) { ++ if (errno != ENOENT && errno != EINVAL) { ++ initlog(L_VB,"Error while setting booleans: %s\n", ++ strerror(errno)); ++ goto UMOUNT; ++ } ++ } ++ initlog(L_VB, "Loading security policy\n"); + ret=security_load_policy(map, sb.st_size); + if (ret < 0) { -+ log(L_VB, "security_load_policy failed\n"); ++ initlog(L_VB, "security_load_policy failed\n"); + } + +UMOUNT: @@ -157,7 +176,7 @@ /* * Sleep a number of seconds. * -@@ -2513,6 +2642,7 @@ +@@ -2599,6 +2741,7 @@ char *p; int f; int isinit; @@ -165,7 +184,7 @@ /* Get my own name */ if ((p = strrchr(argv[0], '/')) != NULL) -@@ -2576,6 +2706,20 @@ +@@ -2662,6 +2805,20 @@ maxproclen += strlen(argv[f]) + 1; } @@ -177,7 +196,7 @@ + if (enforce > 0) { + /* SELinux in enforcing mode but load_policy failed */ + /* At this point, we probably can't open /dev/console, so log() won't work */ -+ printf("Enforcing mode requested but no policy loaded. Halting now.\n"); ++ fprintf(stderr,"Enforcing mode requested but no policy loaded. Halting now.\n"); + exit(1); + } + } @@ -186,9 +205,10 @@ /* Start booting. */ argv0 = argv[0]; argv[1] = NULL; ---- sysvinit-2.85/src/sulogin.c.selinux 2004-06-09 15:28:47.321430584 -0400 -+++ sysvinit-2.85/src/sulogin.c 2004-06-09 15:28:47.523399880 -0400 -@@ -28,7 +28,10 @@ +diff -urN sysvinit-2.86.orig/src/sulogin.c sysvinit-2.86/src/sulogin.c +--- sysvinit-2.86.orig/src/sulogin.c 2004-07-30 07:40:28.000000000 -0400 ++++ sysvinit-2.86/src/sulogin.c 2005-01-03 20:30:48.746751992 -0500 +@@ -27,7 +27,10 @@ #if defined(__GLIBC__) # include <crypt.h> #endif @@ -200,7 +220,7 @@ #define CHECK_DES 1 #define CHECK_MD5 1 -@@ -332,6 +335,16 @@ +@@ -335,6 +338,16 @@ signal(SIGINT, SIG_DFL); signal(SIGTSTP, SIG_DFL); signal(SIGQUIT, SIG_DFL); diff --git a/sys-apps/sysvinit/files/sysvinit-2.86-selinux.patch b/sys-apps/sysvinit/files/sysvinit-2.86-selinux.patch deleted file mode 100644 index 4ba08b635071..000000000000 --- a/sys-apps/sysvinit/files/sysvinit-2.86-selinux.patch +++ /dev/null @@ -1,242 +0,0 @@ ---- sysvinit-2.85/src/Makefile.selinux 2004-06-09 15:28:47.439412648 -0400 -+++ sysvinit-2.85/src/Makefile 2004-06-09 15:28:47.517400792 -0400 -@@ -35,7 +35,7 @@ - all: $(PROGS) - - init: init.o init_utmp.o -- $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o -+ $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o -lselinux - - halt: halt.o ifdown.o hddown.o utmp.o reboot.h - $(CC) $(LDFLAGS) -o $@ halt.o ifdown.o hddown.o utmp.o -@@ -53,7 +53,7 @@ - $(CC) $(LDFLAGS) -o $@ runlevel.o - - sulogin: sulogin.o -- $(CC) $(LDFLAGS) $(STATIC) -o $@ sulogin.o $(LCRYPT) -+ $(CC) $(LDFLAGS) $(STATIC) -DWITH_SELINUX -o $@ sulogin.o $(LCRYPT) -lselinux - - wall: dowall.o wall.o - $(CC) $(LDFLAGS) -o $@ dowall.o wall.o -@@ -64,7 +64,7 @@ - bootlogd: bootlogd.o - $(CC) $(LDFLAGS) -o $@ bootlogd.o - - init.o: init.c init.h set.h reboot.h -- $(CC) -c $(CFLAGS) init.c -+ $(CC) -c $(CFLAGS) -DWITH_SELINUX init.c - - utmp.o: utmp.c init.h - $(CC) -c $(CFLAGS) utmp.c ---- sysvinit-2.85/src/init.c.selinux 2004-06-09 15:28:47.478406720 -0400 -+++ sysvinit-2.85/src/init.c 2004-06-09 15:29:03.208015456 -0400 -@@ -48,6 +48,10 @@ - #include <stdarg.h> - #include <sys/syslog.h> - #include <sys/time.h> -+#include <sys/mman.h> -+#include <selinux/selinux.h> -+#include <sys/mount.h> -+ - - #ifdef __i386__ - # if (__GLIBC__ >= 2) -@@ -103,6 +107,7 @@ - int dfl_level = 0; /* Default runlevel */ - sig_atomic_t got_cont = 0; /* Set if we received the SIGCONT signal */ - sig_atomic_t got_signals; /* Set if we received a signal. */ -+int enforcing = -1; /* SELinux enforcing mode */ - int emerg_shell = 0; /* Start emergency shell? */ - int wrote_wtmp_reboot = 1; /* Set when we wrote the reboot record */ - int wrote_utmp_reboot = 1; /* Set when we wrote the reboot record */ -@@ -187,6 +192,130 @@ - {NULL,0} - }; - -+/* Mount point for selinuxfs. */ -+#define SELINUXMNT "/selinux/" -+ -+static int load_policy(int *enforce) -+{ -+ int fd=-1,ret=-1; -+ int rc=0; -+ struct stat sb; -+ void *map; -+ char policy_file[PATH_MAX]; -+ int policy_version=0; -+ extern char *selinux_mnt; -+ FILE *cfg; -+ char buf[4096]; -+ int seconfig = -2; -+ -+ selinux_getenforcemode(&seconfig); -+ -+ mount("none", "/proc", "proc", 0, 0); -+ cfg = fopen("/proc/cmdline","r"); -+ if (cfg) { -+ char *tmp; -+ if (fgets(buf,4096,cfg) && (tmp = strstr(buf,"enforcing="))) { -+ if (tmp == buf || isspace(*(tmp-1))) { -+ enforcing=atoi(tmp+10); -+ } -+ } -+ fclose(cfg); -+ } -+#define MNT_DETACH 2 -+ umount2("/proc",MNT_DETACH); -+ -+ if (enforcing >=0) -+ *enforce = enforcing; -+ else if (seconfig == 1) -+ *enforce = 1; -+ -+ if (mount("none", SELINUXMNT, "selinuxfs", 0, 0) < 0) { -+ if (errno == ENODEV) { -+ log(L_VB, "SELinux not supported by kernel: %s\n",SELINUXMNT,strerror(errno)); -+ *enforce = 0; -+ } else { -+ log(L_VB, "Failed to mount %s: %s\n",SELINUXMNT,strerror(errno)); -+ } -+ return ret; -+ } -+ -+ selinux_mnt = SELINUXMNT; /* set manually since we mounted it */ -+ -+ policy_version=security_policyvers(); -+ if (policy_version < 0) { -+ log(L_VB, "Can't get policy version: %s\n", strerror(errno)); -+ goto UMOUNT; -+ } -+ -+ rc = security_getenforce(); -+ if (rc < 0) { -+ log(L_VB, "Can't get SELinux enforcement flag: %s\n", strerror(errno)); -+ goto UMOUNT; -+ } -+ if (enforcing >= 0) { -+ *enforce = enforcing; -+ } else if (seconfig == -1) { -+ *enforce = 0; -+ rc = security_disable(); -+ if (rc == 0) umount(SELINUXMNT); -+ if (rc < 0) { -+ rc = security_setenforce(0); -+ if (rc < 0) { -+ log(L_VB, "Can't disable SELinux: %s\n", strerror(errno)); -+ goto UMOUNT; -+ } -+ } -+ ret = 0; -+ goto UMOUNT; -+ } else if (seconfig >= 0) { -+ *enforce = seconfig; -+ rc = security_setenforce(seconfig); -+ if (rc < 0) { -+ log(L_VB, "Can't set SELinux enforcement flag: %s\n", strerror(errno)); -+ goto UMOUNT; -+ } -+ } -+ -+ snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version); -+ fd = open(policy_file, O_RDONLY); -+ if (fd < 0) { -+ /* Check previous version to see if old policy is available -+ */ -+ snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version-1); -+ fd = open(policy_file, O_RDONLY); -+ if (fd < 0) { -+ log(L_VB, "Can't open '%s.%d': %s\n", -+ selinux_binary_policy_path(),policy_version,strerror(errno)); -+ goto UMOUNT; -+ } -+ } -+ -+ if (fstat(fd, &sb) < 0) { -+ log(L_VB, "Can't stat '%s': %s\n", -+ policy_file, strerror(errno)); -+ goto UMOUNT; -+ } -+ -+ map = mmap(NULL, sb.st_size, PROT_READ, MAP_SHARED, fd, 0); -+ if (map == MAP_FAILED) { -+ log(L_VB, "Can't map '%s': %s\n", -+ policy_file, strerror(errno)); -+ goto UMOUNT; -+ } -+ log(L_VB, "Loading security policy\n"); -+ ret=security_load_policy(map, sb.st_size); -+ if (ret < 0) { -+ log(L_VB, "security_load_policy failed\n"); -+ } -+ -+UMOUNT: -+ /*umount(SELINUXMNT); */ -+ if ( fd >= 0) { -+ close(fd); -+ } -+ return(ret); -+} -+ - /* - * Sleep a number of seconds. - * -@@ -2513,6 +2642,7 @@ - char *p; - int f; - int isinit; -+ int enforce = 0; - - /* Get my own name */ - if ((p = strrchr(argv[0], '/')) != NULL) -@@ -2576,6 +2706,20 @@ - maxproclen += strlen(argv[f]) + 1; - } - -+ if (getenv("SELINUX_INIT") == NULL) { -+ putenv("SELINUX_INIT=YES"); -+ if (load_policy(&enforce) == 0 ) { -+ execv(myname, argv); -+ } else { -+ if (enforce > 0) { -+ /* SELinux in enforcing mode but load_policy failed */ -+ /* At this point, we probably can't open /dev/console, so log() won't work */ -+ printf("Enforcing mode requested but no policy loaded. Halting now.\n"); -+ exit(1); -+ } -+ } -+ } -+ - /* Start booting. */ - argv0 = argv[0]; - argv[1] = NULL; ---- sysvinit-2.85/src/sulogin.c.selinux 2004-06-09 15:28:47.321430584 -0400 -+++ sysvinit-2.85/src/sulogin.c 2004-06-09 15:28:47.523399880 -0400 -@@ -28,7 +28,10 @@ - #if defined(__GLIBC__) - # include <crypt.h> - #endif -- -+#ifdef WITH_SELINUX -+#include <selinux/selinux.h> -+#include <selinux/get_context_list.h> -+#endif - #define CHECK_DES 1 - #define CHECK_MD5 1 - -@@ -332,6 +335,16 @@ - signal(SIGINT, SIG_DFL); - signal(SIGTSTP, SIG_DFL); - signal(SIGQUIT, SIG_DFL); -+#ifdef WITH_SELINUX -+ if (is_selinux_enabled > 0) { -+ security_context_t* contextlist=NULL; -+ if (get_ordered_context_list("root", 0, &contextlist) > 0) { -+ if (setexeccon(contextlist[0]) != 0) -+ fprintf(stderr, "setexeccon faile\n"); -+ freeconary(contextlist); -+ } -+ } -+#endif - execl(sushell, shell, NULL); - perror(sushell); - diff --git a/sys-apps/sysvinit/sysvinit-2.86.ebuild b/sys-apps/sysvinit/sysvinit-2.86.ebuild index cd4a0cf5c67b..524fda4f9622 100644 --- a/sys-apps/sysvinit/sysvinit-2.86.ebuild +++ b/sys-apps/sysvinit/sysvinit-2.86.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2005 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-apps/sysvinit/sysvinit-2.86.ebuild,v 1.2 2005/01/01 22:08:41 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-apps/sysvinit/sysvinit-2.86.ebuild,v 1.3 2005/01/04 02:03:14 pebenito Exp $ inherit eutils toolchain-funcs @@ -14,7 +14,7 @@ SLOT="0" KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86" IUSE="selinux bootstrap build" -RDEPEND="selinux? ( >=sys-libs/libselinux-1.14 )" +RDEPEND="selinux? ( >=sys-libs/libselinux-1.14 sys-libs/libsepol )" DEPEND="${RDEPEND} virtual/os-headers" |