How-to, SELinux+Upstart

nnm nnm.one at gmail.com
Fri Jul 6 21:47:29 BST 2007 

Hello

I tried to integrate an SELinux patch with upstart but it didn't work for
various reasons, so here's the next best thing, initializing it with a
pre-init program. This is also a tutorial for how to compile the program and
make it run with upstart, after that, you're on your own =).

sudo su

#0.) Get the required tools.
$ apt-get -y install libselinux1 libselinux1-dev setools selinux-basics
selinux-utils selinux-policy-refpolicy-targeted build-essential
linux-headers-$(uname -r) m4

#1.)
$ cd /usr/src ; apt-get -y install selinux-policy-refpolicy-src; tar -zxvf
selinux-policy-refpolicy-src.tar.gz ; cd selinux-policy-refpolicy-src

#2.)
Edit these values in the build.conf file:
OUTPUT_POLICY = 21
MONOLITHIC = y

#3.)
$ make clean
$ make
$ cp policy.21 /etc/selinux/refpolicy-targeted/policy/

#4.)
paste this into a file named pre-init.cpp:
#include <iostream>
#include <unistd.h>
#include <selinux/selinux.h>
using namespace std;

int main(int argc, char *argv[]) {
        int enforce = 0;

        if(getenv("SELINUX_INIT") == NULL) {
                putenv("SELINUX_INIT=YES");
                if(selinux_init_load_policy(&enforce) == 0) {
                        cout << "Policy loaded..." << endl;
                        execv("/sbin/init", argv);
                } else {
                        if(enforce > 0) {
                                cout << "SELinux in enforcing mode but
load_policy failed" << endl;
                                exit(1);
                        }
                }
        }

        return 0;
}

#5.)
$ g++ pre-init.cpp -l selinux -l sepol -o pre-init
$ cp pre-init /sbin/ ; chown root:root /sbin/pre-init

#6.)
Reboot and at grub, uset his kernel parameter:
init=/sbin/pre-init

------------------------------------------------

# the selinux-basics service, which relabels the filesystem at boot when you
do 'touch /.autorelabel' is also buggy (/sbin/fixfiles at line 58+).

# Also I'd recommend getting (and using) the latest refpolicy from tresys
at:
http://oss.tresys.com/projects/refpolicy
and the latest selinux tools.

GL
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/upstart-devel/attachments/20070706/5087521b/attachment.htm

More information about the upstart-devel mailing list