Re: [sysvinit-devel] sysvinit do not enable SELinux when it should

[Dr. Werner Fink]

On Fri, May 07, 2010 at 08:25:28AM +0200, Petter Reinholdtsen wrote:
> According to <URL: http://bugs.debian.org/580272 >, the sysvinit code
> to enable SELinux is broken.  Werner, you implemented the current
> version.  Do you have any idea how it should be fixed?

The only change between the old version is the check for the
return value of is_selinux_enabled() ... here the old code:

   if (getenv("SELINUX_INIT") == NULL && !is_selinux_enabled()) {
           putenv("SELINUX_INIT=YES");
           if (selinux_init_load_policy(&enforce) == 0 ) {
                   execv(myname, argv);
           } else {
                   if (enforce > 0) {
                           /* SELinux in enforcing mode but load_policy failed 
*/
                           /* At this point, we probably can't open 
/dev/console, so log() won't work */
                           printf("Unable to load SELinux Policy. Machine is in 
enforcing mode. Halting now.\n");
                           exit(1);
                   }
           }
   }

and now the new code

   if (getenv("SELINUX_INIT") == NULL) {
     const int rc = mount("proc", "/proc", "proc", 0, 0);
     if (is_selinux_enabled() > 0) {
       putenv("SELINUX_INIT=YES");
       if (rc == 0) umount2("/proc", MNT_DETACH);
       if (selinux_init_load_policy(&enforce) == 0) {
         execv(myname, argv);
       } else {
         if (enforce > 0) {
           /* SELinux in enforcing mode but load_policy failed */
           /* At this point, we probably can't open /dev/console, so log() 
won't work */
           fprintf(stderr,"Unable to load SELinux Policy. Machine is in 
enforcing mode. Halting now.\n");
           exit(1);
         }
       }
     }
     if (rc == 0) umount2("/proc", MNT_DETACH);
   }

as it can be seen the check of the return value of selinux_init_load_policy()
has not changed but the check of the return value of is_selinux_enabled()
this was done due a bug report as is_selinux_enabled() may return -1 on an
error (not mounted /proc due not using initrd and the resulting `!-1' leads
to a not loaded policy.

Just read the short manual page of is_selinux_enabled(3):

  is_selinux_enabled(3)      SELinux API documentation     is_selinux_enabled(3)

  NAME
       is_selinux_enabled - check whether SELinux is enabled

  NAME
       is_selinux_mls_enabled  -  check  whether SELinux is enabled for (Multi
       Level Securty) MLS

  SYNOPSIS
       #include <selinux/selinux.h>

       int is_selinux_enabled();

       int is_selinux_mls_enabled();

  DESCRIPTION
       is_selinux_enabled returns 1 if SELinux is running or 0 if it is not.

       is_selinux_mls_enabled returns 1 if SELinux is running in MLS mode or 0
       if it is not.

  SEE ALSO
       selinux(8)

  address@hidden            1 January 2004           is_selinux_enabled(3)

and in the source code of I've found that in case of /proc is not mounted the
function is_selinux_enabled(3) indeed also returns a -1 (or better if not able
to open /proc/filesystems for reading).

As  selinux_init_load_policy() does also mounting the selinuxfs I guess that
we should check for

    is_selinux_enabled() == 0

Martin? Does this works for you?

         Werner

-- 
  "Having a smoking section in a restaurant is like having
          a peeing section in a swimming pool." -- Edward Burr