[RFC] change policy loading to initramfs
Bill Nottingham
notting at redhat.com
Thu Jan 24 21:31:49 UTC 2008
Peter Jones (pjones at redhat.com) said:
> This is what I get for coding during budget meetings.
Here's an updated patch (tested) that incorporates your changes.
At the moment, while load_policy -i would work, I'm not sure it's best
for Fedora right now as it would require pulling chroot into the initrd,
and handling return code checking in nash's not-quite-a-shell environment.
It's actually simpler to just call the policy load directly.
Bill
-------------- next part --------------
diff -up mkinitrd-6.0.28/nash/nash.c.foo mkinitrd-6.0.28/nash/nash.c
--- mkinitrd-6.0.28/nash/nash.c.foo 2008-01-09 12:12:28.000000000 -0500
+++ mkinitrd-6.0.28/nash/nash.c 2008-01-24 16:28:20.000000000 -0500
@@ -60,6 +60,8 @@
#include <libdevmapper.h>
+#include <selinux/selinux.h>
+
#include <bdevid.h>
#include <nash.h>
@@ -1718,6 +1720,54 @@ mkdirCommand(char * cmd, char * end)
return 0;
}
+
+static int
+loadPolicyCommand(char * cmd, char *end)
+{
+ int enforce = 0;
+ int rootfd;
+
+ rootfd = open("/", O_DIRECTORY|O_RDONLY);
+
+ if (rootfd < 0) {
+ eprintf("loadpolicy: could not open directory: %m\n");
+ return 1;
+ }
+
+ if (chdir("/sysroot") != 0) {
+ eprintf("loadpolicy: unable to change directory: %m\n");
+ close(rootfd);
+ return 1;
+ }
+
+ if (chroot("/sysroot") != 0) {
+ eprintf("loadpolicy: chroot failed: %m\n");
+ close(rootfd);
+ return 1;
+ }
+
+ if (selinux_init_load_policy(&enforce) != 0 && enforce > 0) {
+ eprintf("Unable to load SELinux policy (%m). Halting now.\n");
+ sleep(-1);
+ exit(1);
+ }
+
+ if (fchdir(rootfd) < 0) {
+ eprintf("loadpolicy: unable to change directory: %m\n");
+ sleep(-1);
+ exit(1);
+ }
+
+ if (chroot("..") < 0) {
+ eprintf("loadpolicy: chroot failed: %m\n");
+ sleep(-1);
+ exit(1);
+ }
+
+ close(rootfd);
+ return 0;
+}
+
static int
accessCommand(char * cmd, char * end)
{
@@ -2728,6 +2778,7 @@ static const struct commandHandler handl
{ "find", findCommand },
{ "kernelopt", printKernelOpt },
{ "loadDrivers", loadDriversCommand },
+ { "loadpolicy", loadPolicyCommand },
{ "mkblktab", mkblktabCommand },
{ "mkblkdevs", mkblkdevsCommand },
{ "mkdir", mkdirCommand },
diff -up mkinitrd-6.0.28/mkinitrd.foo mkinitrd-6.0.28/mkinitrd
--- mkinitrd-6.0.28/mkinitrd.foo 2008-01-23 17:09:26.000000000 -0500
+++ mkinitrd-6.0.28/mkinitrd 2008-01-23 17:10:23.000000000 -0500
@@ -1692,6 +1692,13 @@ if [ -n "$dhclient_leases_cmd" ]; then
emit "$dhclient_leases_cmd"
fi
+SELINUX=
+[ -f /etc/selinux/config ] && . /etc/selinux/config
+if [ -n "$SELINUX" -a "$SELINUX" != "disabled" ]; then
+ emit "echo Loading SELinux policy."
+ emit "loadpolicy"
+fi
+
emit "echo Switching to new root and running init."
emit "switchroot"
emit "echo Booting has failed."
More information about the fedora-selinux-list
mailing list