[ubuntu-hardened] [PATCH] Initial policy load from load_policy

Chad Sellers csellers at tresys.com
Wed Nov 7 22:10:27 GMT 2007 

On 11/7/07 4:26 PM, "Stephen Smalley" <sds at tycho.nsa.gov> wrote:

> On Wed, 2007-11-07 at 16:17 -0500, Chad Sellers wrote:
>> The below patch adds a -i option to load_policy to perform the initial
>> policy load. The inital policy load is currently done in systems using
>> sysvinit by init itself, which then re-exec's itself. Ubuntu uses
>> upstart instead of sysvinit. In talks with the Ubuntu folks, they'd
>> prefer to load policy from initramfs before upstart starts rather than
>> patching upstart.
>> 
>> Signed-off-by: Chad Sellers <csellers at tresys.com>
>> ---
>> 
>> load_policy.8 |   19 ++++++++++++++++++-
>> load_policy.c |   29 +++++++++++++++++++++++++----
>> 2 files changed, 43 insertions(+), 5 deletions(-)
>> 
>> Index: policycoreutils/load_policy/load_policy.c
>> ===================================================================
>> --- policycoreutils/load_policy/load_policy.c    (revision 2679)
>> +++ policycoreutils/load_policy/load_policy.c    (working copy)
>> @@ -19,13 +19,13 @@
>>  
>>  void usage(char *progname)
>>  {
>> -    fprintf(stderr, _("usage:  %s [-q]\n"), progname);
>> +    fprintf(stderr, _("usage:  %s [-qi]\n"), progname);
>>      exit(1);
>>  }
>>  
>>  int main(int argc, char **argv)
>>  {
>> -    int ret, opt, quiet = 0, nargs;
>> +    int ret, opt, quiet = 0, nargs, init=0, enforce=0;
>>  
>>  #ifdef USE_NLS
>>      setlocale(LC_ALL, "");
>> @@ -33,7 +33,7 @@
>>      textdomain(PACKAGE);
>>  #endif
>>  
>> -    while ((opt = getopt(argc, argv, "bq")) > 0) {
>> +    while ((opt = getopt(argc, argv, "bqi")) > 0) {
>>          switch (opt) {
>>          case 'b':
>>              fprintf(stderr, "%s:  Warning! The -b option is no longer
>> supported, booleans are always preserved across reloads.  Continuing...\n",
>> @@ -43,6 +43,9 @@
>>              quiet = 1;
>>              sepol_debug(0);
>>              break;
>> +        case 'i':
>> +            init = 1;
>> +            break;
>>          default:
>>              usage(argv[0]);
>>          }
>> @@ -62,7 +65,25 @@
>>              argv[0], argv[optind++]);
>>      }
>>  
>> -    ret = selinux_mkload_policy(1);
>> +    if (init) {
>> +        if (is_selinux_enabled() == 1) {
>> +            /* SELinux is already enabled, we should not do an initial
>> load again */
>> +            fprintf(stderr,
>> +                _("%s:  Policy is already loaded and initial load
>> requested\n"),
>> +                argv[0]);
>> +            exit(2);
>> +        }
>> +        ret = selinux_init_load_policy(&enforce);
>> +        if (ret != 0 ) {
>> +             if (enforce > 0) {
>> +                /* SELinux in enforcing mode but load_policy failed */
> 
> An error message here would be helpful, assuming that such error
> messages are displayed at all on the console.
> 
I was planning to just display the error in the caller, as the caller will
be the one to halt the system (not load_policy).

> How do you plan to handle an error in the caller?  System should be
> halted in this case.
> 
I plan to check the return value in the caller and halt in this case. That's
why I added a new return value (3). Basically, something like this:

set +e
chroot /root load_policy -i
RET=$?
if [ $RET -eq 3 ]; then echo "SELinux policy load failed and enforcing mode
requested, halting now"; halt;
elif [ $RET -ne 0 ]; then echo "SELinux policy load failed, continuing";
fi

>> +                exit(3);
>> +            }
>> +        }
>> +    }
>> +    else {
>> +        ret = selinux_mkload_policy(1);
>> +    }
>>      if (ret < 0) {
>>          fprintf(stderr, _("%s:  Can't load policy:  %s\n"),
>>              argv[0], strerror(errno));
>> Index: policycoreutils/load_policy/load_policy.8
>> ===================================================================
>> --- policycoreutils/load_policy/load_policy.8    (revision 2679)
>> +++ policycoreutils/load_policy/load_policy.8    (working copy)
>> @@ -4,7 +4,7 @@
>>  
>>  .SH SYNOPSIS
>>  .B load_policy
>> -[-q]
>> +[-qi]
>>  .br
>>  .SH DESCRIPTION
>>  .PP
>> @@ -17,7 +17,24 @@
>>  .TP
>>  .B \-q
>>  suppress warning messages.
>> +.TP
>> +.B \-i
>> +inital policy load. Only use this if this is the first time policy is
>> being loaded since boot (usually called from initramfs).
>>  
>> +.SH "EXIT STATUS"
>> +.TP
>> +.B 0
>> +Success
>> +.TP
>> +.B 1
>> +Invalid option
>> +.TP
>> +.B 2
>> +Policy load failed
>> +.TP
>> +.B 3
>> +Initial policy load failed and enforcing mode requested
>> +
>>  .SH SEE ALSO
>>  .B booleans
>>  (8),
>> 
>> 
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo at tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.

More information about the ubuntu-hardened mailing list