[ubuntu-hardened] [PATCH] Initial policy load from load_policy
Chad Sellers
csellers at tresys.com
Wed Nov 7 21:17:09 GMT 2007
The below patch adds a -i option to load_policy to perform the initial
policy load. The inital policy load is currently done in systems using
sysvinit by init itself, which then re-exec's itself. Ubuntu uses
upstart instead of sysvinit. In talks with the Ubuntu folks, they'd
prefer to load policy from initramfs before upstart starts rather than
patching upstart.
Signed-off-by: Chad Sellers <csellers at tresys.com>
---
load_policy.8 | 19 ++++++++++++++++++-
load_policy.c | 29 +++++++++++++++++++++++++----
2 files changed, 43 insertions(+), 5 deletions(-)
Index: policycoreutils/load_policy/load_policy.c
===================================================================
--- policycoreutils/load_policy/load_policy.c (revision 2679)
+++ policycoreutils/load_policy/load_policy.c (working copy)
@@ -19,13 +19,13 @@
void usage(char *progname)
{
- fprintf(stderr, _("usage: %s [-q]\n"), progname);
+ fprintf(stderr, _("usage: %s [-qi]\n"), progname);
exit(1);
}
int main(int argc, char **argv)
{
- int ret, opt, quiet = 0, nargs;
+ int ret, opt, quiet = 0, nargs, init=0, enforce=0;
#ifdef USE_NLS
setlocale(LC_ALL, "");
@@ -33,7 +33,7 @@
textdomain(PACKAGE);
#endif
- while ((opt = getopt(argc, argv, "bq")) > 0) {
+ while ((opt = getopt(argc, argv, "bqi")) > 0) {
switch (opt) {
case 'b':
fprintf(stderr, "%s: Warning! The -b option is no longer
supported, booleans are always preserved across reloads. Continuing...\n",
@@ -43,6 +43,9 @@
quiet = 1;
sepol_debug(0);
break;
+ case 'i':
+ init = 1;
+ break;
default:
usage(argv[0]);
}
@@ -62,7 +65,25 @@
argv[0], argv[optind++]);
}
- ret = selinux_mkload_policy(1);
+ if (init) {
+ if (is_selinux_enabled() == 1) {
+ /* SELinux is already enabled, we should not do an initial
load again */
+ fprintf(stderr,
+ _("%s: Policy is already loaded and initial load
requested\n"),
+ argv[0]);
+ exit(2);
+ }
+ ret = selinux_init_load_policy(&enforce);
+ if (ret != 0 ) {
+ if (enforce > 0) {
+ /* SELinux in enforcing mode but load_policy failed */
+ exit(3);
+ }
+ }
+ }
+ else {
+ ret = selinux_mkload_policy(1);
+ }
if (ret < 0) {
fprintf(stderr, _("%s: Can't load policy: %s\n"),
argv[0], strerror(errno));
Index: policycoreutils/load_policy/load_policy.8
===================================================================
--- policycoreutils/load_policy/load_policy.8 (revision 2679)
+++ policycoreutils/load_policy/load_policy.8 (working copy)
@@ -4,7 +4,7 @@
.SH SYNOPSIS
.B load_policy
-[-q]
+[-qi]
.br
.SH DESCRIPTION
.PP
@@ -17,7 +17,24 @@
.TP
.B \-q
suppress warning messages.
+.TP
+.B \-i
+inital policy load. Only use this if this is the first time policy is
being loaded since boot (usually called from initramfs).
+.SH "EXIT STATUS"
+.TP
+.B 0
+Success
+.TP
+.B 1
+Invalid option
+.TP
+.B 2
+Policy load failed
+.TP
+.B 3
+Initial policy load failed and enforcing mode requested
+
.SH SEE ALSO
.B booleans
(8),
More information about the ubuntu-hardened
mailing list