Your message dated Sun, 29 Oct 2006 10:02:12 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#394304: fixed in sysvinit 2.86.ds1-34
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---
Package: sysvinit
Version: 2.86.ds1-33
Severity: normal
Tags: patch


Hi,

        I am including a patch that updates support for SELinux. The
 process is to replace debian/patches/40_selinux.dpatch with the
 version below; and remove debian/patches/41_selinux_console.dpatch,
 and the entry in debian/patches/00list.

        I have tested the resulting package; I am running them right now

        manoj

#! /bin/sh /usr/share/dpatch/dpatch-run
## 40_selinux.dpatch by Manoj Srivastava <[EMAIL PROTECTED]>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Add Selinux capabilities

@DPATCH@

diff -uBbwr sysvinit-2.86.ds1.orig/src/init.c sysvinit-2.86.ds1/src/init.c
--- sysvinit-2.86.ds1.orig/src/init.c	2006-10-19 14:57:57.000000000 -0500
+++ sysvinit-2.86.ds1/src/init.c	2006-10-19 15:15:17.000000000 -0500
@@ -43,6 +43,11 @@
 #include <sys/syslog.h>
 #include <sys/time.h>
 
+#ifdef WITH_SELINUX
+#  include <selinux/selinux.h>
+#endif
+
+
 #ifdef __i386__
 #  if (__GLIBC__ >= 2)
      /* GNU libc 2.x */
@@ -2599,6 +2604,7 @@
 	char			*p;
 	int			f;
 	int			isinit;
+	int			enforce = 0;
 
 	/* Get my own name */
 	if ((p = strrchr(argv[0], '/')) != NULL)
@@ -2662,6 +2668,21 @@
 		maxproclen += strlen(argv[f]) + 1;
 	}
 
+#ifdef WITH_SELINUX
+  	if (getenv("SELINUX_INIT") == NULL) {
+	  putenv("SELINUX_INIT=YES");
+	  if (selinux_init_load_policy(&enforce) == 0 ) {
+	    execv(myname, argv);
+	  } else {
+	    if (enforce > 0) {
+	      /* SELinux in enforcing mode but load_policy failed */
+	      /* At this point, we probably can't open /dev/console, so log() won't work */
+		    fprintf(stderr,"Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.\n");
+	      exit(1);
+	    }
+	  }
+	}
+  #endif
 	/* Start booting. */
 	argv0 = argv[0];
 	argv[1] = NULL;
diff -uBbwr sysvinit-2.86.ds1.orig/src/Makefile sysvinit-2.86.ds1/src/Makefile
--- sysvinit-2.86.ds1.orig/src/Makefile	2006-10-19 14:57:57.000000000 -0500
+++ sysvinit-2.86.ds1/src/Makefile	2006-10-19 15:09:30.000000000 -0500
@@ -51,6 +51,18 @@
 INSTALL_DATA	= install -o $(BIN_OWNER) -g $(BIN_GROUP) -m 644
 MANDIR		= /usr/share/man
 
+ifeq ($(WITH_SELINUX),yes)
+  SELINUX_DEF=-DWITH_SELINUX
+  INIT_SELIBS=-lsepol -lselinux
+  SULOGIN_SELIBS=-lselinux	
+else
+  SELINUX_DEF=
+  INIT_SELIBS=
+  SULOGIN_SELIBS=
+endif
+
+
+
 # Additional libs for GNU libc.
 ifneq ($(wildcard /usr/lib/libcrypt.a),)
 LCRYPT		= -lcrypt
@@ -59,7 +71,7 @@
 all:		$(BIN) $(SBIN) $(USRBIN)
 
 init:		init.o init_utmp.o
-		$(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o
+		$(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o $(INIT_SELIBS)
 
 halt:		halt.o ifdown.o hddown.o utmp.o reboot.h
 		$(CC) $(LDFLAGS) -o $@ halt.o ifdown.o hddown.o utmp.o
@@ -80,7 +92,7 @@
 		$(CC) $(LDFLAGS) -o $@ runlevel.o
 
 sulogin:	sulogin.o
-		$(CC) $(LDFLAGS) $(STATIC) -o $@ sulogin.o $(LCRYPT)
+		$(CC) $(LDFLAGS) $(STATIC) $(SELINUX_DEF) -o $@ $^ $(LCRYPT) $(SULOGIN_SELIBS)
 
 wall:		dowall.o wall.o
 		$(CC) $(LDFLAGS) -o $@ dowall.o wall.o
@@ -91,8 +103,11 @@
 bootlogd:	bootlogd.o
 		$(CC) $(LDFLAGS) -o $@ bootlogd.o -lutil
 
+sulogin.o:	sulogin.c 
+		$(CC) -c $(CFLAGS) $(SELINUX_DEF) sulogin.c
+
 init.o:		init.c init.h set.h reboot.h initreq.h
-		$(CC) -c $(CFLAGS) init.c
+		$(CC) -c $(CFLAGS) $(SELINUX_DEF)  init.c
 
 utmp.o:		utmp.c init.h
 		$(CC) -c $(CFLAGS) utmp.c
diff -uBbwr sysvinit-2.86.ds1.orig/src/sulogin.c sysvinit-2.86.ds1/src/sulogin.c
--- sysvinit-2.86.ds1.orig/src/sulogin.c	2006-10-19 14:57:03.000000000 -0500
+++ sysvinit-2.86.ds1/src/sulogin.c	2006-10-19 15:19:24.000000000 -0500
@@ -28,6 +28,11 @@
 #  include <crypt.h>
 #endif
 
+#ifdef WITH_SELINUX
+#  include <selinux/selinux.h>
+#  include <selinux/get_context_list.h>
+#endif
+
 #define CHECK_DES	1
 #define CHECK_MD5	1
 
@@ -335,6 +340,21 @@
 	signal(SIGINT, SIG_DFL);
 	signal(SIGTSTP, SIG_DFL);
 	signal(SIGQUIT, SIG_DFL);
+#ifdef WITH_SELINUX
+	if (is_selinux_enabled > 0) {
+	  security_context_t scon=NULL;
+	  char *seuser=NULL;
+	  char *level=NULL;
+	  if (getseuserbyname("root", &seuser, &level) == 0)
+		  if (get_default_context_with_level(seuser, level, 0, &scon) > 0) {
+			  if (setexeccon(scon) != 0) 
+				  fprintf(stderr, "setexeccon faile\n");
+			  freecon(scon);
+		  }
+		free(seuser);
+		free(level);
+	}
+#endif
 	execl(sushell, shell, NULL);
 	perror(sushell);
 
        Here is a patch that does that:

diff -NuBbwr sysvinit-2.86.ds1.orig/debian/patches/00list sysvinit-2.86.ds1/debian/patches/00list
--- sysvinit-2.86.ds1.orig/debian/patches/00list	2006-10-19 14:35:21.000000000 -0500
+++ sysvinit-2.86.ds1/debian/patches/00list	2006-10-19 15:35:46.000000000 -0500
@@ -12,7 +12,6 @@
 30_strip
 31_build_warnings
 40_selinux
-41_selinux_console
 45_pidof_symlink
 50_bootlogd_exitcode
 51_bootlogd_syncalot
diff -NuBbwr sysvinit-2.86.ds1.orig/debian/patches/40_selinux.dpatch sysvinit-2.86.ds1/debian/patches/40_selinux.dpatch
--- sysvinit-2.86.ds1.orig/debian/patches/40_selinux.dpatch	2006-10-19 14:35:21.000000000 -0500
+++ sysvinit-2.86.ds1/debian/patches/40_selinux.dpatch	2006-10-19 15:36:15.000000000 -0500
@@ -1,173 +1,27 @@
 #! /bin/sh /usr/share/dpatch/dpatch-run
-## 40_selinux.dpatch by Manoj Srivastava
+## 40_selinux.dpatch by Manoj Srivastava <[EMAIL PROTECTED]>
 ##
 ## All lines beginning with `## DP:' are a description of the patch.
-## DP: Add support for SELinux.
+## DP: Add Selinux capabilities
 
 @DPATCH@
-Index: trunk/src/init.c
-===================================================================
---- trunk/src/init.c	(revisjon 34)
-+++ trunk/src/init.c	(arbeidskopi)
-@@ -80,6 +80,157 @@
- 			sigaction(sig, &sa, NULL); \
- 		} while(0)
  
-+
+diff -uBbwr sysvinit-2.86.ds1.orig/src/init.c sysvinit-2.86.ds1/src/init.c
+--- sysvinit-2.86.ds1.orig/src/init.c	2006-10-19 14:57:57.000000000 -0500
++++ sysvinit-2.86.ds1/src/init.c	2006-10-19 15:15:17.000000000 -0500
+@@ -43,6 +43,11 @@
+ #include <sys/syslog.h>
+ #include <sys/time.h>
+ 
 +#ifdef WITH_SELINUX
-+#include <sys/mman.h>
 +#include <selinux/selinux.h>
-+#include <sepol/sepol.h>
-+#include <sys/mount.h>
-+
-+/* Mount point for selinuxfs. */
-+#define SELINUXMNT "/selinux/"
-+int enforcing = -1;		/* SELinux enforcing mode */
-+
-+static int load_policy(int *enforce)
-+{
-+  int fd=-1,ret=-1;
-+  int rc=0, orig_enforce;
-+  struct stat sb;
-+  void *map;
-+  char policy_file[PATH_MAX];
-+  int policy_version=0;
-+  extern char *selinux_mnt;
-+  FILE *cfg;
-+  char buf[4096];
-+  int seconfig = -2;
-+
-+  selinux_getenforcemode(&seconfig);
-+
-+  mount("none", "/proc", "proc", 0, 0);
-+  cfg = fopen("/proc/cmdline","r");
-+  if (cfg) {
-+    char *tmp;
-+    if (fgets(buf,4096,cfg) && (tmp = strstr(buf,"enforcing="))) {
-+      if (tmp == buf || isspace(*(tmp-1))) {
-+        enforcing=atoi(tmp+10);
-+      }
-+    }
-+    fclose(cfg);
-+  }
-+#define MNT_DETACH 2
-+  umount2("/proc",MNT_DETACH);
-+
-+  if (enforcing >=0)
-+    *enforce = enforcing;
-+  else if (seconfig == 1)
-+    *enforce = 1;
-+
-+  if (mount("none", SELINUXMNT, "selinuxfs", 0, 0) < 0) {
-+    if (errno == ENODEV) {
-+      printf("SELinux not supported by kernel: %s\n",strerror(errno));
-+      *enforce = 0;
-+    } else {
-+      printf("Failed to mount %s: %s\n",SELINUXMNT,strerror(errno));
-+    }
-+    return ret;
-+  }
-+
-+  selinux_mnt = SELINUXMNT; /* set manually since we mounted it */
-+
-+  policy_version=security_policyvers();
-+  if (policy_version < 0) {
-+    printf( "Can't get policy version: %s\n", strerror(errno));
-+    goto UMOUNT;
-+  }
-+
-+  orig_enforce = rc = security_getenforce();
-+  if (rc < 0) {
-+    printf( "Can't get SELinux enforcement flag: %s\n", strerror(errno));
-+    goto UMOUNT;
-+  }
-+  if (enforcing >= 0) {
-+    *enforce = enforcing;
-+  } else if (seconfig == -1) {
-+    *enforce = 0;
-+    rc = security_disable();
-+    if (rc == 0) umount(SELINUXMNT);
-+    if (rc < 0) {
-+      rc = security_setenforce(0);
-+      if (rc < 0) {
-+        printf("Can't disable SELinux: %s\n", strerror(errno));
-+        goto UMOUNT;
-+      }
-+    }
-+    ret = 0;
-+    goto UMOUNT;
-+  } else if (seconfig >= 0) {
-+    *enforce = seconfig;
-+    if (orig_enforce != *enforce) {
-+      rc = security_setenforce(seconfig);
-+      if (rc < 0) {
-+        printf("Can't set SELinux enforcement flag: %s\n", strerror(errno));
-+        goto UMOUNT;
-+      }
-+    }
-+  }
-+
-+  snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version);
-+  fd = open(policy_file, O_RDONLY);
-+  if (fd < 0) {
-+    /* Check previous version to see if old policy is available
-+     */
-+    snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version-1);
-+    fd = open(policy_file, O_RDONLY);
-+    if (fd < 0) {
-+      printf( "Can't open '%s.%d':  %s\n",
-+          selinux_binary_policy_path(),policy_version,strerror(errno));
-+      goto UMOUNT;
-+    }
-+  }
-+
-+  if (fstat(fd, &sb) < 0) {
-+    printf("Can't stat '%s':  %s\n",
-+        policy_file, strerror(errno));
-+    goto UMOUNT;
-+  }
-+
-+  map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
-+  if (map == MAP_FAILED) {
-+    printf( "Can't map '%s':  %s\n",
-+        policy_file, strerror(errno));
-+    goto UMOUNT;
-+  }
-+
-+
-+  /* Set booleans based on a booleans configuration file. */
-+  ret = sepol_genbools(map, sb.st_size, selinux_booleans_path());
-+  if (ret < 0) {
-+    if (errno == ENOENT || errno == EINVAL) {
-+      /* No booleans file or stale booleans in the file; non-fatal. */
-+      printf("Warning!  Error while setting booleans:  %s\n"
-+          , strerror(errno));
-+    } else {
-+      printf("Error while setting booleans:  %s\n",
-+          strerror(errno));
-+      goto UMOUNT;
-+    }
-+  }
-+  printf("Loading security policy\n");
-+  ret=security_load_policy(map, sb.st_size);
-+  if (ret < 0) {
-+    printf("security_load_policy failed\n");
-+  }
-+
-+ UMOUNT:
-+  /*umount(SELINUXMNT); */
-+  if ( fd >= 0) {
-+    close(fd);
-+  }
-+  return(ret);
-+}
 +#endif
 +
 +
- /* Version information */
- char *Version = "@(#) init " VERSION "  " DATE "  [EMAIL PROTECTED]";
- char *bootmsg = "version " VERSION " %s";
-@@ -2599,6 +2750,7 @@
+ #ifdef __i386__
+ #  if (__GLIBC__ >= 2)
+      /* GNU libc 2.x */
+@@ -2599,6 +2604,7 @@
  	char			*p;
  	int			f;
  	int			isinit;
@@ -175,20 +29,20 @@
  
  	/* Get my own name */
  	if ((p = strrchr(argv[0], '/')) != NULL)
-@@ -2662,6 +2814,21 @@
+@@ -2662,6 +2668,21 @@
  		maxproclen += strlen(argv[f]) + 1;
  	}
  
 +#ifdef WITH_SELINUX
 +  	if (getenv("SELINUX_INIT") == NULL) {
 +	  putenv("SELINUX_INIT=YES");
-+	  if (load_policy(&enforce) == 0 ) {
++	  if (selinux_init_load_policy(&enforce) == 0 ) {
 +	    execv(myname, argv);
 +	  } else {
 +	    if (enforce > 0) {
 +	      /* SELinux in enforcing mode but load_policy failed */
 +	      /* At this point, we probably can't open /dev/console, so log() won't work */
-+		    fprintf(stderr,"Enforcing mode requested but no policy loaded. Halting now.\n");
++		    fprintf(stderr,"Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.\n");
 +	      exit(1);
 +	    }
 +	  }
@@ -197,98 +51,11 @@
  	/* Start booting. */
  	argv0 = argv[0];
  	argv[1] = NULL;
-Index: trunk/src/killall5.c
-===================================================================
---- trunk/src/killall5.c	(revisjon 34)
-+++ trunk/src/killall5.c	(arbeidskopi)
-@@ -165,8 +165,11 @@
- 
- /*
-  *	Read the proc filesystem.
-+ *      since pidOf does not use process sid added a needSid flag to eliminate
-+ *	the need of this privs for SELinux
-+ *
-  */
--int readproc()
-+int readproc(int needSid)
- {
- 	DIR		*dir;
- 	FILE		*fp;
-@@ -259,7 +262,17 @@
- 			free(p);
- 			continue;
- 		}
--
-+		if (needSid) {
-+		  p->sid = getsid(pid);
-+		  if (p->sid < 0) {
-+		    p->sid = 0;
-+		    nsyslog(LOG_ERR, "can't read sid for pid %d\n", pid);
-+		    free(p);
-+		    continue;
-+		  }
-+		} else {
-+		    p->sid = 0;
-+                }
- 		snprintf(path, sizeof(path), "/proc/%s/cmdline", d->d_name);
- 		if ((fp = fopen(path, "r")) != NULL) {
- 
-@@ -519,7 +532,7 @@
- 	argv += optind;
- 
- 	/* Print out process-ID's one by one. */
--	readproc();
-+	readproc(0);
- 	for(f = 0; f < argc; f++) {
- 		if ((q = pidof(argv[f])) != NULL) {
- 			spid = 0;
-@@ -600,7 +613,7 @@
- 	sent_sigstop = 1;
- 
- 	/* Read /proc filesystem */
--	if (readproc() < 0) {
-+	if (readproc(1) < 0) {
- 		kill(-1, SIGCONT);
- 		exit(1);
- 	}
-Index: trunk/src/sulogin.c
-===================================================================
---- trunk/src/sulogin.c	(revisjon 34)
-+++ trunk/src/sulogin.c	(arbeidskopi)
-@@ -28,6 +28,10 @@
- #  include <crypt.h>
- #endif
- 
-+#ifdef WITH_SELINUX
-+#include <selinux/selinux.h>
-+#include <selinux/get_context_list.h>
-+#endif
- #define CHECK_DES	1
- #define CHECK_MD5	1
- 
-@@ -335,6 +339,16 @@
- 	signal(SIGINT, SIG_DFL);
- 	signal(SIGTSTP, SIG_DFL);
- 	signal(SIGQUIT, SIG_DFL);
-+#ifdef WITH_SELINUX
-+	if (is_selinux_enabled > 0) {
-+	  security_context_t* contextlist=NULL;
-+	  if (get_ordered_context_list("root", 0, &contextlist) > 0) {
-+	    if (setexeccon(contextlist[0]) != 0) 
-+	      fprintf(stderr, "setexeccon faile\n");
-+	    freeconary(contextlist);
-+	  }
-+	}
-+#endif
- 	execl(sushell, shell, NULL);
- 	perror(sushell);
- 
-Index: trunk/src/Makefile
-===================================================================
---- trunk/src/Makefile	(revisjon 34)
-+++ trunk/src/Makefile	(arbeidskopi)
-@@ -49,6 +49,18 @@
- INSTALL		= install -o $(BIN_OWNER) -g $(BIN_GROUP)
+diff -uBbwr sysvinit-2.86.ds1.orig/src/Makefile sysvinit-2.86.ds1/src/Makefile
+--- sysvinit-2.86.ds1.orig/src/Makefile	2006-10-19 14:57:57.000000000 -0500
++++ sysvinit-2.86.ds1/src/Makefile	2006-10-19 15:09:30.000000000 -0500
+@@ -51,6 +51,18 @@
+ INSTALL_DATA	= install -o $(BIN_OWNER) -g $(BIN_GROUP) -m 644
  MANDIR		= /usr/share/man
  
 +ifeq ($(WITH_SELINUX),yes)
@@ -306,7 +73,7 @@
  # Additional libs for GNU libc.
  ifneq ($(wildcard /usr/lib/libcrypt.a),)
  LCRYPT		= -lcrypt
-@@ -57,7 +69,7 @@
+@@ -59,7 +71,7 @@
  all:		$(BIN) $(SBIN) $(USRBIN)
  
  init:		init.o init_utmp.o
@@ -315,7 +82,7 @@
  
  halt:		halt.o ifdown.o hddown.o utmp.o reboot.h
  		$(CC) $(LDFLAGS) -o $@ halt.o ifdown.o hddown.o utmp.o
-@@ -78,7 +90,7 @@
+@@ -80,7 +92,7 @@
  		$(CC) $(LDFLAGS) -o $@ runlevel.o
  
  sulogin:	sulogin.o
@@ -324,7 +91,7 @@
  
  wall:		dowall.o wall.o
  		$(CC) $(LDFLAGS) -o $@ dowall.o wall.o
-@@ -89,8 +101,11 @@
+@@ -91,8 +103,11 @@
  bootlogd:	bootlogd.o
  		$(CC) $(LDFLAGS) -o $@ bootlogd.o -lutil
  
@@ -337,3 +104,40 @@
  
  utmp.o:		utmp.c init.h
  		$(CC) -c $(CFLAGS) utmp.c
+diff -uBbwr sysvinit-2.86.ds1.orig/src/sulogin.c sysvinit-2.86.ds1/src/sulogin.c
+--- sysvinit-2.86.ds1.orig/src/sulogin.c	2006-10-19 14:57:03.000000000 -0500
++++ sysvinit-2.86.ds1/src/sulogin.c	2006-10-19 15:19:24.000000000 -0500
+@@ -28,6 +28,11 @@
+ #  include <crypt.h>
+ #endif
+ 
++#ifdef WITH_SELINUX
++#  include <selinux/selinux.h>
++#  include <selinux/get_context_list.h>
++#endif
++
+ #define CHECK_DES	1
+ #define CHECK_MD5	1
+ 
+@@ -335,6 +340,21 @@
+ 	signal(SIGINT, SIG_DFL);
+ 	signal(SIGTSTP, SIG_DFL);
+ 	signal(SIGQUIT, SIG_DFL);
++#ifdef WITH_SELINUX
++	if (is_selinux_enabled > 0) {
++	  security_context_t scon=NULL;
++	  char *seuser=NULL;
++	  char *level=NULL;
++	  if (getseuserbyname("root", &seuser, &level) == 0)
++		  if (get_default_context_with_level(seuser, level, 0, &scon) > 0) {
++			  if (setexeccon(scon) != 0) 
++				  fprintf(stderr, "setexeccon faile\n");
++			  freecon(scon);
++		  }
++		free(seuser);
++		free(level);
++	}
++#endif
+ 	execl(sushell, shell, NULL);
+ 	perror(sushell);
+ 
diff -NuBbwr sysvinit-2.86.ds1.orig/debian/patches/41_selinux_console.dpatch sysvinit-2.86.ds1/debian/patches/41_selinux_console.dpatch
--- sysvinit-2.86.ds1.orig/debian/patches/41_selinux_console.dpatch	2006-10-19 14:35:21.000000000 -0500
+++ sysvinit-2.86.ds1/debian/patches/41_selinux_console.dpatch	1969-12-31 18:00:00.000000000 -0600
@@ -1,74 +0,0 @@
-#! /bin/sh /usr/share/dpatch/dpatch-run
-## 41_selinux_console.dpatch by  <[EMAIL PROTECTED]>
-##
-## All lines beginning with `## DP:' are a description of the patch.
-## DP: No description.
-
[EMAIL PROTECTED]@
-diff -urNad --exclude=CVS --exclude=.svn ./src/init.c /tmp/dpep-work.tcSHzc/trunk/src/init.c
---- ./src/init.c	2006-01-27 16:52:38.000000000 +0100
-+++ /tmp/dpep-work.tcSHzc/trunk/src/init.c	2006-01-27 16:55:20.000000000 +0100
-@@ -89,6 +89,7 @@
- 
- /* Mount point for selinuxfs. */
- #define SELINUXMNT "/selinux/"
-+#define BUF_CHARS   (size_t)4096
- int enforcing = -1;		/* SELinux enforcing mode */
- 
- static int load_policy(int *enforce)
-@@ -101,16 +102,20 @@
-   int policy_version=0;
-   extern char *selinux_mnt;
-   FILE *cfg;
--  char buf[4096];
-+  char *buf;
-   int seconfig = -2;
- 
-+  buf = malloc(BUF_CHARS * sizeof(char));
-+  if (!buf)
-+	  return -1;
-+
-   selinux_getenforcemode(&seconfig);
- 
-   mount("none", "/proc", "proc", 0, 0);
-   cfg = fopen("/proc/cmdline","r");
-   if (cfg) {
-     char *tmp;
--    if (fgets(buf,4096,cfg) && (tmp = strstr(buf,"enforcing="))) {
-+    if (fgets(buf, BUF_CHARS, cfg) && (tmp = strstr(buf, "enforcing="))) {
-       if (tmp == buf || isspace(*(tmp-1))) {
-         enforcing=atoi(tmp+10);
-       }
-@@ -127,14 +132,21 @@
- 
-   if (mount("none", SELINUXMNT, "selinuxfs", 0, 0) < 0) {
-     if (errno == ENODEV) {
--      printf("SELinux not supported by kernel: %s\n",strerror(errno));
-       *enforce = 0;
-+      snprintf(buf, BUF_CHARS, "Warning: SELinux not supported by kernel: %s\n",strerror(errno));
-+      print(buf);
-+      free(buf);
-+      return ret;
-     } else {
--      printf("Failed to mount %s: %s\n",SELINUXMNT,strerror(errno));
-+      snprintf(buf, BUF_CHARS, "Failed to mount %s: %s\n",SELINUXMNT,strerror(errno));
-+      print(buf);
-+      free(buf);
-+      return -1;
-     }
--    return ret;
-   }
- 
-+  free(buf);
-+
-   selinux_mnt = SELINUXMNT; /* set manually since we mounted it */
- 
-   policy_version=security_policyvers();
-@@ -228,6 +240,7 @@
-   }
-   return(ret);
- }
-+#undef BUF_CHARS
- #endif
- 
- 


-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-mh1-skas3-v9-pre9-fremap
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8)

Versions of packages sysvinit depends on:
ii  initscripts                  2.86.ds1-33 Scripts for initializing and shutt
ii  libc6                        2.3.6.ds1-6 GNU C Library: Shared libraries
ii  libselinux1                  1.30.28-2   SELinux shared libraries
ii  libsepol1                    1.12.26-2   Security Enhanced Linux policy lib
ii  sysv-rc                      2.86.ds1-33 System-V-like runlevel change mech
ii  sysvinit-utils               2.86.ds1-33 System-V-like utilities

sysvinit recommends no packages.

-- no debconf information

-- 
Nothing is so often irretrievably missed as a daily
opportunity. Ebner-Eschenbach
Manoj Srivastava <[EMAIL PROTECTED]> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C
#! /bin/sh /usr/share/dpatch/dpatch-run
## 40_selinux.dpatch by Manoj Srivastava <[EMAIL PROTECTED]>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Add Selinux capabilities

@DPATCH@

diff -uBbwr sysvinit-2.86.ds1.orig/src/init.c sysvinit-2.86.ds1/src/init.c
--- sysvinit-2.86.ds1.orig/src/init.c	2006-10-19 14:57:57.000000000 -0500
+++ sysvinit-2.86.ds1/src/init.c	2006-10-19 15:15:17.000000000 -0500
@@ -43,6 +43,11 @@
 #include <sys/syslog.h>
 #include <sys/time.h>
 
+#ifdef WITH_SELINUX
+#  include <selinux/selinux.h>
+#endif
+
+
 #ifdef __i386__
 #  if (__GLIBC__ >= 2)
      /* GNU libc 2.x */
@@ -2599,6 +2604,7 @@
 	char			*p;
 	int			f;
 	int			isinit;
+	int			enforce = 0;
 
 	/* Get my own name */
 	if ((p = strrchr(argv[0], '/')) != NULL)
@@ -2662,6 +2668,21 @@
 		maxproclen += strlen(argv[f]) + 1;
 	}
 
+#ifdef WITH_SELINUX
+  	if (getenv("SELINUX_INIT") == NULL) {
+	  putenv("SELINUX_INIT=YES");
+	  if (selinux_init_load_policy(&enforce) == 0 ) {
+	    execv(myname, argv);
+	  } else {
+	    if (enforce > 0) {
+	      /* SELinux in enforcing mode but load_policy failed */
+	      /* At this point, we probably can't open /dev/console, so log() won't work */
+		    fprintf(stderr,"Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.\n");
+	      exit(1);
+	    }
+	  }
+	}
+  #endif
 	/* Start booting. */
 	argv0 = argv[0];
 	argv[1] = NULL;
diff -uBbwr sysvinit-2.86.ds1.orig/src/Makefile sysvinit-2.86.ds1/src/Makefile
--- sysvinit-2.86.ds1.orig/src/Makefile	2006-10-19 14:57:57.000000000 -0500
+++ sysvinit-2.86.ds1/src/Makefile	2006-10-19 15:09:30.000000000 -0500
@@ -51,6 +51,18 @@
 INSTALL_DATA	= install -o $(BIN_OWNER) -g $(BIN_GROUP) -m 644
 MANDIR		= /usr/share/man
 
+ifeq ($(WITH_SELINUX),yes)
+  SELINUX_DEF=-DWITH_SELINUX
+  INIT_SELIBS=-lsepol -lselinux
+  SULOGIN_SELIBS=-lselinux	
+else
+  SELINUX_DEF=
+  INIT_SELIBS=
+  SULOGIN_SELIBS=
+endif
+
+
+
 # Additional libs for GNU libc.
 ifneq ($(wildcard /usr/lib/libcrypt.a),)
 LCRYPT		= -lcrypt
@@ -59,7 +71,7 @@
 all:		$(BIN) $(SBIN) $(USRBIN)
 
 init:		init.o init_utmp.o
-		$(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o
+		$(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o $(INIT_SELIBS)
 
 halt:		halt.o ifdown.o hddown.o utmp.o reboot.h
 		$(CC) $(LDFLAGS) -o $@ halt.o ifdown.o hddown.o utmp.o
@@ -80,7 +92,7 @@
 		$(CC) $(LDFLAGS) -o $@ runlevel.o
 
 sulogin:	sulogin.o
-		$(CC) $(LDFLAGS) $(STATIC) -o $@ sulogin.o $(LCRYPT)
+		$(CC) $(LDFLAGS) $(STATIC) $(SELINUX_DEF) -o $@ $^ $(LCRYPT) $(SULOGIN_SELIBS)
 
 wall:		dowall.o wall.o
 		$(CC) $(LDFLAGS) -o $@ dowall.o wall.o
@@ -91,8 +103,11 @@
 bootlogd:	bootlogd.o
 		$(CC) $(LDFLAGS) -o $@ bootlogd.o -lutil
 
+sulogin.o:	sulogin.c 
+		$(CC) -c $(CFLAGS) $(SELINUX_DEF) sulogin.c
+
 init.o:		init.c init.h set.h reboot.h initreq.h
-		$(CC) -c $(CFLAGS) init.c
+		$(CC) -c $(CFLAGS) $(SELINUX_DEF)  init.c
 
 utmp.o:		utmp.c init.h
 		$(CC) -c $(CFLAGS) utmp.c
diff -uBbwr sysvinit-2.86.ds1.orig/src/sulogin.c sysvinit-2.86.ds1/src/sulogin.c
--- sysvinit-2.86.ds1.orig/src/sulogin.c	2006-10-19 14:57:03.000000000 -0500
+++ sysvinit-2.86.ds1/src/sulogin.c	2006-10-19 15:19:24.000000000 -0500
@@ -28,6 +28,11 @@
 #  include <crypt.h>
 #endif
 
+#ifdef WITH_SELINUX
+#  include <selinux/selinux.h>
+#  include <selinux/get_context_list.h>
+#endif
+
 #define CHECK_DES	1
 #define CHECK_MD5	1
 
@@ -335,6 +340,21 @@
 	signal(SIGINT, SIG_DFL);
 	signal(SIGTSTP, SIG_DFL);
 	signal(SIGQUIT, SIG_DFL);
+#ifdef WITH_SELINUX
+	if (is_selinux_enabled > 0) {
+	  security_context_t scon=NULL;
+	  char *seuser=NULL;
+	  char *level=NULL;
+	  if (getseuserbyname("root", &seuser, &level) == 0)
+		  if (get_default_context_with_level(seuser, level, 0, &scon) > 0) {
+			  if (setexeccon(scon) != 0) 
+				  fprintf(stderr, "setexeccon faile\n");
+			  freecon(scon);
+		  }
+		free(seuser);
+		free(level);
+	}
+#endif
 	execl(sushell, shell, NULL);
 	perror(sushell);
 

--- End Message ---
--- Begin Message ---
Source: sysvinit
Source-Version: 2.86.ds1-34

We believe that the bug you reported is fixed in the latest version of
sysvinit, which is due to be installed in the Debian FTP archive:

initscripts_2.86.ds1-34_i386.deb
  to pool/main/s/sysvinit/initscripts_2.86.ds1-34_i386.deb
sysv-rc_2.86.ds1-34_all.deb
  to pool/main/s/sysvinit/sysv-rc_2.86.ds1-34_all.deb
sysvinit-utils_2.86.ds1-34_i386.deb
  to pool/main/s/sysvinit/sysvinit-utils_2.86.ds1-34_i386.deb
sysvinit_2.86.ds1-34.diff.gz
  to pool/main/s/sysvinit/sysvinit_2.86.ds1-34.diff.gz
sysvinit_2.86.ds1-34.dsc
  to pool/main/s/sysvinit/sysvinit_2.86.ds1-34.dsc
sysvinit_2.86.ds1-34_i386.deb
  to pool/main/s/sysvinit/sysvinit_2.86.ds1-34_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Petter Reinholdtsen <[EMAIL PROTECTED]> (supplier of updated sysvinit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 29 Oct 2006 18:33:33 +0100
Source: sysvinit
Binary: sysv-rc sysvinit-utils sysvinit initscripts
Architecture: source i386 all
Version: 2.86.ds1-34
Distribution: unstable
Urgency: medium
Maintainer: Debian sysvinit maintainers 
<[email protected]>
Changed-By: Petter Reinholdtsen <[EMAIL PROTECTED]>
Description: 
 initscripts - Scripts for initializing and shutting down the system
 sysv-rc    - System-V-like runlevel change mechanism
 sysvinit   - System-V-like init utilities
 sysvinit-utils - System-V-like utilities
Closes: 390126 391605 393465 394304 394332
Changes: 
 sysvinit (2.86.ds1-34) unstable; urgency=medium
 .
   * Medium urgency as it solve some RC bugs.
   * Remove the postinst code in initscripts for mounting /lib/init/rw/.
     Just require a reboot for it to take effect, instead of trying to
     make sure it is mounted when the package is installed.  Flag this
     need using /usr/share/update-notifier/notify-reboot-required if it
     exist.  (Closes: #393465, #391605, #390126)
   * Remove debian/sysv-rc/postinst as well as it is unused now.
   * Replace SElinux patches 40_selinux and 41_selinux_console with updated
     40_selinux from Manoj Srivastava. (Closes: #394304)
   * Print message when refusing to mount nfs directories because the
     lockdir exist.
   * Add exit handler in if-up.d/mountnfs to make sure the lock directory
     is removed when the script is interrupted.
   * Remove NEWS entries explaining how to recover from the version of
     sysv-rc present 6th to 8th of September in unstable.  Remove
     update-rc.d-recover as it should no longer be needed. (Closes:
     #394332)
   * Add XS-Vcs-Svn entry in the control file, to make the subversion
     repository easier to find.
Files: 
 af8a67d1af32fcd1fdbf99465f70b0ab 968 admin required sysvinit_2.86.ds1-34.dsc
 c2d3c959f6b5e1a2b3f7870cfbacfbe9 132108 admin required 
sysvinit_2.86.ds1-34.diff.gz
 a995e62846abef1fb7e5dd6c6ab452da 106644 admin required 
sysvinit_2.86.ds1-34_i386.deb
 0415ec64ed6adaf7e50d784c06a3583f 64978 admin required 
sysvinit-utils_2.86.ds1-34_i386.deb
 ce1499cc736f2769f72e08de9de453d0 58458 admin required 
initscripts_2.86.ds1-34_i386.deb
 be580b1e31d8b48bb1a44c010e1c6382 55340 admin required 
sysv-rc_2.86.ds1-34_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFROgm20zMSyow1ykRAijiAKDIoSuMZZiaDwSXSI4Eg3krWSxNLgCfSEL7
2EZQVHnrfMkWy0PFMk/Yick=
=lVMi
-----END PGP SIGNATURE-----


--- End Message ---
_______________________________________________
Pkg-sysvinit-devel mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/pkg-sysvinit-devel

Reply via email to