[Pkg-sysvinit-devel] Bug#580272: [sysvinit-devel] sysvinit do not enable SELinux when it should
Dr. Werner Fink
werner at suse.de
Fri May 7 07:08:52 UTC 2010
On Fri, May 07, 2010 at 08:25:28AM +0200, Petter Reinholdtsen wrote:
> According to <URL: http://bugs.debian.org/580272 >, the sysvinit code
> to enable SELinux is broken. Werner, you implemented the current
> version. Do you have any idea how it should be fixed?
The only change between the old version is the check for the
return value of is_selinux_enabled() ... here the old code:
if (getenv("SELINUX_INIT") == NULL && !is_selinux_enabled()) {
putenv("SELINUX_INIT=YES");
if (selinux_init_load_policy(&enforce) == 0 ) {
execv(myname, argv);
} else {
if (enforce > 0) {
/* SELinux in enforcing mode but load_policy failed */
/* At this point, we probably can't open /dev/console, so log() won't work */
printf("Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.\n");
exit(1);
}
}
}
and now the new code
if (getenv("SELINUX_INIT") == NULL) {
const int rc = mount("proc", "/proc", "proc", 0, 0);
if (is_selinux_enabled() > 0) {
putenv("SELINUX_INIT=YES");
if (rc == 0) umount2("/proc", MNT_DETACH);
if (selinux_init_load_policy(&enforce) == 0) {
execv(myname, argv);
} else {
if (enforce > 0) {
/* SELinux in enforcing mode but load_policy failed */
/* At this point, we probably can't open /dev/console, so log() won't work */
fprintf(stderr,"Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.\n");
exit(1);
}
}
}
if (rc == 0) umount2("/proc", MNT_DETACH);
}
as it can be seen the check of the return value of selinux_init_load_policy()
has not changed but the check of the return value of is_selinux_enabled()
this was done due a bug report as is_selinux_enabled() may return -1 on an
error (not mounted /proc due not using initrd and the resulting `!-1' leads
to a not loaded policy.
Just read the short manual page of is_selinux_enabled(3):
is_selinux_enabled(3) SELinux API documentation is_selinux_enabled(3)
NAME
is_selinux_enabled - check whether SELinux is enabled
NAME
is_selinux_mls_enabled - check whether SELinux is enabled for (Multi
Level Securty) MLS
SYNOPSIS
#include <selinux/selinux.h>
int is_selinux_enabled();
int is_selinux_mls_enabled();
DESCRIPTION
is_selinux_enabled returns 1 if SELinux is running or 0 if it is not.
is_selinux_mls_enabled returns 1 if SELinux is running in MLS mode or 0
if it is not.
SEE ALSO
selinux(8)
russell at coker.com.au 1 January 2004 is_selinux_enabled(3)
and in the source code of I've found that in case of /proc is not mounted the
function is_selinux_enabled(3) indeed also returns a -1 (or better if not able
to open /proc/filesystems for reading).
As selinux_init_load_policy() does also mounting the selinuxfs I guess that
we should check for
is_selinux_enabled() == 0
Martin? Does this works for you?
Werner
--
"Having a smoking section in a restaurant is like having
a peeing section in a swimming pool." -- Edward Burr
More information about the Pkg-sysvinit-devel
mailing list