More from Jan Kiszka: this is a port of the latest sysv-init SELinux patch.

It makes busybox invoke the libselinux library function to load the binary
policy right at system start-up. It was successfully tested on a mini-SELinux
system.  Note: requires recent libselinux. I'm using 1.28.

diff --git a/init/init.c b/init/init.c
index 704cfccda16fe48ea1eb2f0db2c99a319fc73978..575ab9775d60e954b8c9fae9107c8d5a4c6931f9 100644 (file)
--- a/init/init.c
+++ b/init/init.c
@@ -39,6 +39,11 @@
 #endif
 
 
+#ifdef CONFIG_SELINUX
+# include <selinux/selinux.h>
+#endif /* CONFIG_SELINUX */
+
+
 #define INIT_BUFFS_SIZE 256
 
 /* From <linux/vt.h> */
@@ -1097,6 +1102,22 @@ int init_main(int argc, char **argv)
                parse_inittab();
        }
 
+#ifdef CONFIG_SELINUX
+       if (getenv("SELINUX_INIT") == NULL) {
+               int enforce = 0;
+
+               putenv("SELINUX_INIT=YES");
+               if (selinux_init_load_policy(&enforce) == 0) {
+                       execv(argv[0], argv);
+               } else if (enforce > 0) {
+                       /* SELinux in enforcing mode but load_policy failed */
+                       /* At this point, we probably can't open /dev/console, so log() won't work */
+                       message(CONSOLE,"Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.");
+                       exit(1);
+               }
+       }
+#endif /* CONFIG_SELINUX */
+
        /* Make the command line just say "init"  -- thats all, nothing else */
        fixup_argv(argc, argv, "init");